Protect Against PHP Fingerprinting Attacks

Category: Blog • Posted by Jeff Starr • Updated:

This article explains how to protect against PHP "fingerprinting" attacks, whereby an actor attempts to gain sensitive information regarding the version of PHP running on your server. Aka version probing, disclosure, among others.

Before implementing this security technique, take a moment to read about PHP easter eggs, which reveal sensitive version and other information. Then after digesting that information, you can protect your site by adding another layer of protection with the following slice of .htaccess:

# Fingerprinting Attacks
<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} PHP[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12} [NC,OR]
	RewriteCond %{REQUEST_URI} =PHP[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12} [NC]
	RewriteRule .* - [F,L]
</IfModule>

No modifications are required, strictly plug-&-play. Once in place, this code blocks any requests that includes the "easter-egg" sequence in either the query string or the request string. Technically only the QUERY_STRING condition is necessary, but the REQUEST_URI condition will protect against derivative/experimental requests targeting the same exploit.

Here are representative examples of the URI requests that are blocked by this technique:

http://example.com/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
http://example.com/=PHPE9568F36-D428-11d2-A769-00AA001ACF42

The good news about this technique is that it's very specific, targeting a very specific set of conditions that are unlikely to be met by any legitimate requests. So there's like zero chance of false positives :)

Check out my article at Perishable Press to learn more about PHP easter eggs and how to block fingerprint exploits.