PHP vulnerability: phpinfo() output accessible



Many PHP installation tutorials instruct the user to create a file called "phpinfo.php" or similar containing a "phpinfo()" statement. Such a file is often times left in the webserver directory after completion of the installation.


Some of the information that can be gathered from "phpinfo()" includes:

  • the username of the user who installed php,
  • if they are a SUDO user,
  • the IP address of the host,
  • the web server version,
  • the system version(unix / linux),
  • and the root directory of the web server.

This information can be used when trying to hack the system.


Delete the "phpinfo.php" (or similar) file or use file system or webserver access controls to restrict access to it.

Have more questions? Submit a request


Powered by Zendesk