Portal Home > Knowledgebase > Articles Database > is showing phpinfo a security risk?
is showing phpinfo a security risk?
| Posted by electron33, 06-09-2004, 03:48 AM |
| Hi,
(To web host admins)
Just wondering if showing phpinfo to customers a security risk?
Thanks
|
| Posted by openXS, 06-09-2004, 05:19 AM |
| No, I dont think its a security risk. Doesnt reveal anything that the hacker could use.
|
| Posted by stftk, 06-09-2004, 06:55 AM |
| If its to customers, all it is doing is showing them information they could get otherwise, phpinfo just makes it easy and displays it all on one page.
I dont have a problem with it though.
|
| Posted by datums, 06-09-2004, 07:25 AM |
| Doesnt reveal anything that the hacker could use"
but it does
It gives someone from the outside the ability to see the server environment
|
| Posted by electron33, 06-09-2004, 08:42 AM |
| So, if a new customer asked you whether they could see your phpinfo page, would you be willing to show them that?
Thanks guys!
|
| Posted by MGCJerry, 06-09-2004, 09:21 AM |
| I'm just curious about the version, configure line, gd, and freetype.
Once I get my info, I'm happy until they upgrade PHP again.
|
| Posted by SiSHCO, 06-09-2004, 09:29 AM |
| phpinfo only information about PHP, mySQL etc... There is no risk to show others.
|
| Posted by datums, 06-09-2004, 09:38 AM |
| the etc. . . is the problem. Have you taken the time to look at the function?
Here is an example
http://www.entropy.ch/software/macosx/php/test.php
Notice Kernel Version
As far as a client wanting the information, that's not a problem.
|
| Posted by Steven, 06-09-2004, 10:16 AM |
| Personally i would not use a host that did not show it.
but if you want to disable add:
disable_functions = phpinfo
to you php.ini
|
| Posted by electron33, 06-09-2004, 11:11 AM |
| Thanks for sharing your view on this.
|
| Posted by Lem0nHead, 06-09-2004, 12:23 PM |
| security by obscurity is not security"
|
| Posted by whmcsguru, 06-09-2004, 01:47 PM |
| To me, there's nothign wrong with showing phpinfo. The only real security problem I can see is if your setup is out of date (kernel, php). In that case, it's your own fault, update your servers
As someone said:
Security by obscurity is not security
This is very much true. You can disable all the functions you want (system, etc), rely on safe_mode, whathaveyou, but in the end it's all about how much you pay attention to the server. If you're not watching the server AND the environment that goes into that. Here's a good example:
Cpanel released a "security warning" for apache builds using phpsuexec. Since I know for sure that my clients don't use it, I didn't react at all (I don't use phpsuexec for anything, because it WILL screw up php code). I simply went about my day because it didn't apply.
Lo and behold, two clients decided to update on their own, screwing up more than could be imagined (I have a custom apache and php buildscript for cpanel). When they came to me, I simply told them to let me do my job next time and fixed the problem.
It's all about KNOWING what you put into the systems, being familliar enough with the system to ensure that it's not going to freak out , keeping up to date with kernel and related patches.
Security is a never ending job, trust me. Disabling phpinfo isn't going to make your box 1 bit more secure. It WILL hide the kernel info and php info, but for the most part that doesn't need to be hidden, if you keep it up to date.
|
| Posted by Lem0nHead, 06-09-2004, 01:53 PM |
| won't even do that
if someone want's to know the kernel info they can just login to cPanel and it shows there
or make a perl script like
or, if you don't disable PHP exec functions, use it to execute "uname -a"...
or even set a cronjob that does something like "uname -a >/home/user/unameresult.txt"
well... there's a bunch of ways
|
| Posted by Mdot, 06-09-2004, 02:22 PM |
| It is security risk to some point to show phpinfo. I'm not referring to kernel versions, and such, but to variables it shows.
e.g. when you restart apache, php will take some variables from your shell session, and show them on phpinfo page. This can be dangerous.
example:
This means that user ("root" in most cases), who [re]started apache, was logged from 142.11.11.11:61904 when he/she [re]started apache.
There is also a lot of other interesting information.
regards,
M.
|
| Posted by Lem0nHead, 06-09-2004, 02:25 PM |
| mine just show those _ENVs
|
| Posted by Steven, 06-09-2004, 03:41 PM |
| Umm it was for non phpsuexec setups.
|
| Posted by SiSHCO, 06-09-2004, 04:17 PM |
| If someone wants to see your server information, he/she can use nMap or other security scanners. Also there are many other methods for this... phpinfo is the easiest way...
|
| Posted by electron33, 06-09-2004, 04:55 PM |
| So do you think showing phpinfo publicly might reveal some useful details for crackers that would be difficult (if not impossible) to get otherwise
|
| Posted by Lem0nHead, 06-09-2004, 05:01 PM |
| he's probably talking about the issue before this one
the one that needed to recompile apache if you used phpsuexec before april 14, or something like that
|
| Posted by racknap1, 08-23-2012, 10:25 AM |
| Hi,
Turn expose_php off. It won't by itself fend off a determined attacker, but it will lower visibility to attacks that rely on simple reconnaissance techniques to scan for vulnerable targets.
You can only disable expose_php in the php.ini file:
; Disable expose_php for security reasons
expose_php = 'off'
Hope this will work.
|
| Posted by bear, 08-23-2012, 02:35 PM |
| 06-09-04, 05:01 PM was the post before yours. If it was going to work, it would have been done literally years ago.
|
Add to Favourites 
Print this Article
Also Read
