Helpful phpinfo(): Are You Putting the Welcome Mat out for Hackers?
by Jeremy Conley
Posted in Articles, Coders, PHP on
Hi all. After a long hiatus from posting, I am coming back with some fresh content and articles, so enjoy!
Today's article is on our old friend, phpinfo(). If you have been programming with PHP for long, you have no doubt used this indispensable function. Have you ever tried configuring a server and needed to check to see if PHP is working? Many of us (myself included!) have just created a quick PHP file with phpinfo() to check to see if PHP is installed and working. Besides just letting us see PHP's status, it also helps us answer a number of other useful questions. Is MySQL installed on the server? Just use phpinfo(). Hmmm...can I upload files? Check phpinfo(). What about is my favorite third party extension installed? Look at phpinfo().
So as we have seen, phpinfo() is a valuable debugging tool. However, if you as the site's developer think that information is helpful, then it is ten times more helpful to an attacker. In just one page, an attacker has a wealth of information about the server: the PHP version, server version, database extension versions, ImageMagick version information, server paths, and so much more. All it takes is for an attacker to find one software package out of date then exploit that software and take over the server.
Why give an attacker all of this information for free? You are basically just putting out the welcome mat to be hacked by providing all this information so conveniently. If you have read our other PHP articles on the site, you may realize that the only way to be truly secure is to keep your software and operating system patched and configured correctly. True, just not showing version numbers isn't going to keep you from being hacked, but it will make hackers work a little harder. Security through obscurity is not going to protect you like up to date systems, but combined with a comprehensive plan, it can help your server stay a little safer.
With that said, I have several recommendations for you on phpinfo():
-
Just don't use it. This is the safest route. Actually, phpinfo() should never be used on a production server. It's fine to use it on a closed development server, but it should be blocked on a development server. It's easy to do. Just open your php.ini file (which ironically is easily found by looking at phpinfo()) and find this line:
and then add phpinfo to the list. (You don't need to include the parenthesis here.) Save an restart Apache or IIS, and you will be good to go.disable_functions = -
Restrict it to just yourself. Disallow any other IPs from accessing it. Here is some sample code:
and obviously change it to your IP address. Don't rely upon this method though if your IP address frequently changes or if you are in a corporate/educational setting where many users share the same IP.if ( $_SERVER['REMOTE_ADDR'] == '123.456.789.000' ) { phpinfo(); }
In summary, phpinfo() is a really helpful, perhaps too helpful function. Either blocking it or being careful how you use it will make it harder for attackers to know how to attack you. Just be aware that even a common PHP function can be detrimental to your security.
about the author
More about Jeremy Conley:
Jeremy is a student at Western Michigan University where he is dual majoring in Electronic Business Design and Film & Video Studies. When not programming or researching design and security topics, Jeremy enjoys movies and photography and drinking coffee in all the amazing local Kalamazoo coffee shops.
questions or comments?
If you have any questions or comments about this article, feel free to contact us!