The expose_php setting is used to set whether information about the server’s PHP version should be shown to the users or not. If expose_php is set as on, an attacker can see the version of the PHP running on the application’s server. If the application runs on a vulnerable version of PHP, he will be able to exploit each and every vulnerability present in the server. Developers usually turn expose_php as on so as to allow APIs to interact with the system without any compatibility issues. Enabling expose_php for API support is a stupid idea because APIs can be used through JSON, XML and many more languages. These languages are best suited for APIs because they don’t have compatibility issues.
The below code is an example of this vulnerability:-
Using this vulnerability, an attacker can:-
Beagle recommends the following fixes:-