phpinfo security leak

Forum Moderators: coopster

Message Too Old, No Replies

phpinfo security leak

php

fuzzmaster

2:02 pm on Apr 22, 2006 (gmt 0)

I was looking in my CGI Administration panel -this is how I can connect to view my php info settings. I saw a short cut on how I could along with my domain name add a path to view my php info. No problem with that ,but it also reveals my vital info like password and username. what to do? it's a shared host too.

eelixduppy

2:33 pm on Apr 22, 2006 (gmt 0)

Hello...

You can disable phpinfo() by going into your php.ini file . If you aren't sure where that is located, then you can print the phpinfo() function and it is written there. The find the place where you can disable functions for security reasons.

The line should read this:
disable_functions = phpinfo

Then restart your server and that function should be disabled.

Hope this helps...

barns101

2:52 pm on Apr 22, 2006 (gmt 0)

it's a shared host too

You probably wont be able to access your php.ini file

fuzzmaster

3:16 pm on Apr 22, 2006 (gmt 0)

maybe I could ask my host to disable it or maybe I will try a custom php.ini file with the contents asking to disable the function first. I can't see why something like that would be accessible easily (by default) to any Tom, Dick ,Harry or even Mary.

barns101

3:52 pm on Apr 22, 2006 (gmt 0)

Surely somebody would have to guess the location of the file? (Or do you mean other people with your host?)

fuzzmaster

4:06 pm on Apr 22, 2006 (gmt 0)

I'm not sure. Is it a standard path people would take or use. Can someone with the same host get that path from viewing thiers? I wonder if I could just use a redirect back to homepage if compromised?

henry0

4:48 pm on Apr 22, 2006 (gmt 0)

You can changes some settings via .htaccess

Also review From The Manual [php.net]

fuzzmaster

6:54 pm on Apr 22, 2006 (gmt 0)

Please help,I've read so much since my first post to this question. I also drank too much Kool-aid now I'm punch drunk (grape and tropical punch is my favorite) and confused.

hakre

3:50 pm on Apr 24, 2006 (gmt 0)

just relax,

phpinfo() should not reveal things like username and password at all. maybe you can only see your username and password from your request. in that case, even if someone would guess the url of the request which leads in display of phpinfo() might see only his/her own requests username and password not yours!

anyway it might be (might) that your shared hoster has got an unsecure php/web setup anyway, so this is not related to the phpinfo function in specific and it makes not so much sense to disable it.

and i guess no hoster on earth will disable phpinfo per default for its customers, because you often need it to setup scripts and apps on the server.

bcolflesh

3:55 pm on Apr 24, 2006 (gmt 0)

phpinfo() should not reveal things like username and password at all. maybe you can only see your username and password from your request. in that case, even if someone would guess the url of the request which leads in display of phpinfo() might see only his/her own requests username and password not yours!

Correct - it's showing his session variables - they wouldn't be exposed to other users - but it's a good idea to protect the phpinfo anyway - no sense in giving anyone any info about your config.

fuzzmaster

7:05 pm on Apr 24, 2006 (gmt 0)

I'm relaxed now. too much kool-aid equals sugar rush and panic :P