What is phpinfo?
It
is one of the handiest functions for a PHP programmer for debugging the webserver
running PHP.
As the name suggest, phpinfo displays
information about PHP.
While
it does not include version information about your database scheme, it does
include version information about PHP, Apache/IIS, GD, and other things. It
also contains a description of many important settings, which could possibly be
causing problems with your installation. Generally the web server information
that you are going to get from this file are listed below
- The web server version
- The IP address of the host
- The version of the operating system
- The root directory of the web server
- Configuration information about the remote PHP installation
This is screenshot of phpinfo file of one of the
compromised web server.
How to create phpinfo?
Creating
a phpinfo.php file is simple and easy. With a simple text editor (such as
Notepad++), write the code below and save it as phpinfo.php
<?php
phpinfo();
?>
Now upload the file in your web
server and call it via browser, most probably you will be able to see the something
like screenshot given above, if not then either your web server doesn’t support
php.
So exposing the phpinfo.php to
public calls threat?
Not Really, A well-configured, up-to-date system can afford to
expose
phpinfo () without risk.
Exposing phpinfo () on its own isn't
necessarily a risk, but in combination with another vulnerability could lead to
your site becoming compromised.So less specific info hackers
have about your system, the better. Disabling phpinfo () won't make your site
secure, but will make it slightly more difficult for them.So as a webmaster you should
disable it for public view, if at all you need for your debugging then you can
restrict this files from public view through .htaccess
# protect phpinfo<Files php-info.php> Order Deny,Allow Deny from allAllow from xx.xx.xx.xx --Ã This is Ip from which you want to access your phpinfo
</Files>
0 comments:
Post a Comment