PHP expose_php is on

Manieendar Mohan
Published on
02 May 2022
1 min read

The expose_php setting is used to set whether information about the server’s PHP version should be shown to the users or not. If expose_php is set as on, an attacker can see the version of the PHP running on the application’s server. If the application runs on a vulnerable version of PHP, he will be able to exploit each and every vulnerability present in the server. Developers usually turn expose_php as on so as to allow APIs to interact with the system without any compatibility issues. Enabling expose_php for API support is a stupid idea because APIs can be used through JSON, XML and many more languages. These languages are best suited for APIs because they don’t have compatibility issues.


The below code is an example of this vulnerability:-

        expose_php = on



Using this vulnerability, an attacker can:-

  • manipulate sensitive information
  • leak sensitive information
  • gain administrator access to the web application

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Disable expose_php in php.ini or .htaccess.
        expose_php = off

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment