Exposing PHP is a Security Risk
In php.ini, there is this:
; Misc
;
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = On
What this means is that for every request that calls on PHP, it sends an additional header that looks something like this:
X-Powered-By: PHP/5.2.3-1ubuntu6
Since I installed this via apt-get, it added a 1ubuntu6 to the end, which I think is a slight security risk in and of itself, but that's not what this is about.
But what it always does, no matter how you installed it, is show the PHP version. In this case, 5.2.3, 2 revisions ago (Hooray outdated repositories! Seriously, it's from May. Though you do have Debian beat.).
Now, in the perfect world, this wouldn't be a security risk, since everyone would have the most updated version of their software, but as everyone knows, that just doesn't happen. Mine was just installed, and it's already out of date.
This means that for 80% of the PHP population (98% of statistics are made up on the spot), PHP is advertising itself as an outdated, and probably vulnerable, version. Most likely you aren't even using any of the vulnerable functions, or even knew they existed, but there's still a chance you are. During the month of PHP bugs, there were more than a few functions with vulnerabilities that I used on many occasions.
WordPress also does something of the same. It gives out your WordPress version in meta tag on every pageload, with the only way to get rid of it is editing your template. WordPress is even harder to upgrade than PHP, so expect to find them outdated in a much higher frequency.
Apache, and pretty much every other server out there, does pretty much the same thing with their Server header, but Apache gives you the options on how to display it. Apache/1.3.37 (you have to show all of that from the 1337 though) or Apache/1.3 or Apache/1 or maybe just Apache.
With PHP, it's all or bust. Not PHP/5 or just PHP. You can overwrite every version by doing something like:
<?php header("X-Powered-By: Love-Cookies-and-Hamsters/2.4"); ?>
Or something similar, but you have to do it manually for every script. There isn't really a server wide override.
Now, this point can almost be moot, since it's just so easy to find phpinfo()'s.
Yeah, right…
echo "">/etc/php/security.php
chown apache:apache /etc/php/security.php
echo "auto_prepend_file=/etc/php/security.php">>/etc/php/apache2-php5/php.ini