ProudCity Security Flaw: PHP Version Exposed in HTTP Headers for Miamisburg Government Sites

A third-party security scan has flagged a significant information disclosure vulnerability on the official government websites for the City of Miamisburg. The sites `cityofmiamisburg.com` and `playmiamisburg.com`, both powered by the ProudCity platform, are returning the `X-Powered-By: PHP/8.2.30` header in all HTTP responses. This exposes the exact version of the underlying PHP software to any visitor or automated scanner, providing a clear signal for potential attackers.

While PHP 8.2.30 is a current version and not inherently vulnerable, the explicit disclosure is considered a security misconfiguration. The root cause is traced to a server-level PHP setting (`expose_php = On`) in the `etc/php.ini` configuration file. This setting instructs the PHP engine to broadcast its version in response headers, a practice discouraged for production systems to reduce the attack surface and avoid triggering warnings in automated security audits. The issue is documented in internal ProudCity development logs, with related fixes referenced in a prior GitHub issue.

The exposure creates an ongoing operational risk for the municipality's digital infrastructure. Each public request to the city's websites leaks this system fingerprint, making it easier for malicious actors to profile the technology stack and correlate it with known vulnerabilities when future exploits for PHP 8.2 emerge. The required fix is straightforward—changing the configuration to `expose_php = Off`—but its presence on live government portals highlights a lapse in secure deployment practices for a platform handling public communications and services.