Join Log in
Score:0
Sam avatar Server

What information in phpinfo is sensitive?

in flag
Sam

I was told that phpinfo contains sensitive data so you should delete it in production environment. But this afternoon I took a good look at it and found nothing interesting. So here's my question. What on earth is sensitive? How's an attacker gonna use such information? Or what will s/he know from the config page?

319
3 + 0
php
Score:2
Lex Li avatar Server
vn flag
Lex Li

An example.

If your phpinfo page reveals that you are using Windows Server 2008 and PHP 5.6, with certain PHP modules, then the attackers can easily take control of your server because,

  • Windows server 2008 is end of life, and security issues won't be fixed by Microsoft any more.
  • PHP 5.6 is end of life, and security issues are no longer fixed.
  • Certain modules have their own vulnerabilities which open the door to the attackers.

Even if you use latest Windows and PHP releases, zero day vulnerabilities are out there.

The lesser information you reveal to the outside world, the more difficult for the attackers to exploit.

You'd better hire a security consultant and learn more.

0 + 1
Sam avatar
in flag
Sam
Yeah, and I may gonna put my brain into that microwave. Haha.
0
Reply
Score:2
avatar Server
ar flag
bob

In general the security concern is that the more information your infrastructure and applications "give away" (by disclosing product names, versions and capabilities) the less work an adversary has to do to gather information and the easier it becomes for them to quickly target specific (known) vulnerabilities.

That makes it best practice in production environments to among many others suppress version numbers, disable debug code/options (like phpinfo()) , suppress error messages and more...

0 + 0
Score:1
avatar Server
ar flag
Dan Miller

Every bit of information leaked out about your server could potentially be problematic. Even the apache banner the leaks out if you dont disable it in the httpd.conf could lead to a compromise. Go to exploit-db.com and look at, for example, all the vulnerabilities against Apache. Note that most affect specific versions. So now with phpinfo exposing that info its simple for a script kiddie to automatically attack your system. Which even if its patched can still cause problems, at least traffic disruptions. Whereas if they dont have a version then they won't generally run anything. Many apache mods have had issues in the past - another thing phpinfo exposes. Certain local exploits run on certain kernels - phpinfo again...

It also shows what db you are using - so immediately an attacker knows which commands to try to use to conduct sql injection attacks. And certain versions are vulnerable to specific exploits.

You also can guess from phpinfo such info as user names, the format of user names, the directory structure...some attacks you need to know the directory structure, like PUT attacks, where usually the attacker has to make an educated guess, but phpinfo puts that info out there.

Even such info as the server administrator who you can then google and maybe find their security issues on StackExchange...

Basically, phpinfo is a big fat menu for any potentional attacker out there. Cover that **** up. And while you are at it, hide your banner versions unless you need that info for some reason.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.