PHP expose_php is on

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 CWE-200 WASC-13

The expose_php setting is used to set whether information about the server’s PHP version should be shown to the users or not. If expose_php is set as on, an attacker can see the version of the PHP running on the application’s server. If the application runs on a vulnerable version of PHP, he will be able to exploit each and every vulnerability present in the server. Developers usually turn expose_php as on so as to allow APIs to interact with the system without any compatibility issues. Enabling expose_php for API support is a stupid idea because APIs can be used through JSON, XML and many more languages. These languages are best suited for APIs because they don’t have compatibility issues.


The below code is an example of this vulnerability:-

        expose_php = on



Using this vulnerability, an attacker can:-

  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Disable expose_php in php.ini or .htaccess.
        expose_php = off


Latest Articles