PHP vulnerability: phpinfo() output accessible

Follow

Summary

Many PHP installation tutorials instruct the user to create a file called "phpinfo.php" or similar containing a "phpinfo()" statement. Such a file is often times left in the webserver directory after completion of the installation.

Impact

Some of the information that can be gathered from "phpinfo()" includes:

  • the username of the user who installed php,
  • if they are a SUDO user,
  • the IP address of the host,
  • the web server version,
  • the system version(unix / linux),
  • and the root directory of the web server.

This information can be used when trying to hack the system.

Solution

Delete the "phpinfo.php" (or similar) file or use file system or webserver access controls to restrict access to it.

Have more questions? Submit a request

Comments

Powered by Zendesk