1.2.976. Phpinfo

phpinfo() is a great function to learn about the current configuration of the server.

If left in the production code, it may lead to a critical leak, as any attacker gaining access to this data will know a lot about the server configuration.

It is advised to never leave that kind of instruction in a production code.

phpinfo() may be necessary to access some specific configuration of the server : for example, Apache module list are only available via phpinfo(), and apache_get(), when they are loaded.

<?php

if (DEBUG) {
    phpinfo();
}

?>

1.2.976.1. Suggestions

  • Remove all usage of phpinfo()

  • Add one or more constant to fine-tune the phpinfo(), and limit the amount of displayed information

  • Replace phpinfo() with a more adapted method : get_loaded_extensions() to access the list of loaded extensions

1.2.976.2. Specs

Short name

Structures/PhpinfoUsage

Rulesets

All, Security

Exakat since

0.8.4

PHP Version

All

Severity

Major

Time To Fix

Quick (30 mins)

Precision

Very high

Features

phpinfo

Examples

Dolphin

Available in

Entreprise Edition, Exakat Cloud