1.2.976. Phpinfo¶
phpinfo() is a great function to learn about the current configuration of the server.
If left in the production code, it may lead to a critical leak, as any attacker gaining access to this data will know a lot about the server configuration.
It is advised to never leave that kind of instruction in a production code.
phpinfo() may be necessary to access some specific configuration of the server : for example, Apache
module list are only available via phpinfo(), and apache_get(), when they are loaded.
<?php
if (DEBUG) {
phpinfo();
}
?>
1.2.976.1. Suggestions¶
Remove all usage of phpinfo()
Add one or more constant to fine-tune the phpinfo(), and limit the amount of displayed information
Replace phpinfo() with a more adapted method : get_loaded_extensions() to access the list of loaded extensions
1.2.976.2. Specs¶
Short name |
Structures/PhpinfoUsage |
Rulesets |
|
Exakat since |
0.8.4 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Quick (30 mins) |
Precision |
Very high |
Features |
phpinfo |
Examples |
|
Available in |