PHP Security Issues

Problems with the Windows version of XAMPP, questions, comments, and anything related.

PHP Security Issues

Postby racman » 15. May 2007 18:27

Hi All,

I was wondering if there are any security risks from a user getting information about my server when they run the following PHP script:

<?PHP
phpinfo();
?>

This shows a lot of information about my server and programs running on it as well as directory paths.

I am thinking this may be used by a hacker to attack my server. Are there any ways to protect against this and make my server more secure?

Regards,

Racman
racman
 
Posts: 4
Joined: 30. April 2007 01:18

Postby Dave_L » 15. May 2007 22:20

Yes, that is a security risk.

If you want to keep a phpinfo script on your server, you should place it in a password-protected directory or use some other method to prevent it from being publicly accessible.
User avatar
Dave_L
 
Posts: 212
Joined: 23. October 2004 00:43

Postby racman » 15. May 2007 23:45

I DO NOT want to place the script on my server. Why would I want to do that then start to worry about the security issues?

What I want is a way to STOP users on my server getting this information if they run this script from their websites hosted on my server.

:)
racman
 
Posts: 4
Joined: 30. April 2007 01:18

Postby Dave_L » 16. May 2007 00:31

I see.

There's a PHP configuration setting, disable_functions, that you can use to disable certain functions.
http://www.php.net/manual/en/features.s ... -functions

It looks like it's only settable in php.ini, so it would be global for the server.

But there are other ways in PHP to get some of the information that phpinfo() provides.

Since you're concerned about this kind of security risk, you should also enable settings such as safe_mode and open_basedir.
User avatar
Dave_L
 
Posts: 212
Joined: 23. October 2004 00:43


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 86 guests