Because every system is setup differently, phpinfo() is commonly used to check configuration settings and for available predefined variables on a given system. phpinfo() is also a valuable debugging tool as it contains all EGPCS (Environment, GET, POST, Cookie, Server) data.
phpinfo() is a PHP function or a snippet of code that takes in one or more parameters and returns a value. Running phpinfo() will display information regarding your site's PHP configuration, including: The current version of PHP your site is running. Your server information and environment.
A successful PHP Object Injection can lead to further attacks such as SQL Injection, Code Injection, Path Traversal, and even a complete web application takedown. To prevent PHP Object Injections, you must verify and sanitize every input accepted by your web application to ensure no PHP objects were submitted.
PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.
Knowing the structure of your filesystem might allow hackers to execute directory traversal attacks if your site is vulnerable to them.
I think exposing phpinfo() on its own isn't necessarily a risk, but in combination with another vulnerability could lead to your site becoming compromised.
Obviously, the less specific info hackers have about your system, the better. Disabling phpinfo() won't make your site secure, but will make it slightly more difficult for them.
Besides the obvious like being able to see if register_globals
is On, and where files might be located in your include_path, there's all the $_SERVER
($_SERVER["DOCUMENT_ROOT"]
can give clues to define a relative pathname to /etc/passwd
) and $_ENV
information (it's amazing what people store in $_ENV
, such as encryption keys)
The biggest problem is that many versions make XSS attacks simple by printing the contents of the URL and other data used to access it.
http://www.php-security.org/MOPB/MOPB-08-2007.html
A well-configured, up-to-date system can afford to expose phpinfo()
without risk.
Still, it is possible to get hold of so much detailed information - especially module versions, which could make a cracker's life easier when newly-discovered exploits come up - that I think it's good practice not to leave them up. Especially on shared hosting, where you have no influence on everyday server administration.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With