Apache Friends Support Forum


https://community.apachefriends.org/f/

PHP Security Issues

https://community.apachefriends.org/f/viewtopic.php?f=16&t=24569

Page 1 of 1

PHP Security Issues

PostPosted: 15. May 2007 18:27
by racman
Hi All,

I was wondering if there are any security risks from a user getting information about my server when they run the following PHP script:

<?PHP
phpinfo();
?>

This shows a lot of information about my server and programs running on it as well as directory paths.

I am thinking this may be used by a hacker to attack my server. Are there any ways to protect against this and make my server more secure?

Regards,

Racman

PostPosted: 15. May 2007 22:20
by Dave_L
Yes, that is a security risk.

If you want to keep a phpinfo script on your server, you should place it in a password-protected directory or use some other method to prevent it from being publicly accessible.

PostPosted: 15. May 2007 23:45
by racman
I DO NOT want to place the script on my server. Why would I want to do that then start to worry about the security issues?

What I want is a way to STOP users on my server getting this information if they run this script from their websites hosted on my server.

:)

PostPosted: 16. May 2007 00:31
by Dave_L
I see.

There's a PHP configuration setting, disable_functions, that you can use to disable certain functions.
http://www.php.net/manual/en/features.s ... -functions

It looks like it's only settable in php.ini, so it would be global for the server.

But there are other ways in PHP to get some of the information that phpinfo() provides.

Since you're concerned about this kind of security risk, you should also enable settings such as safe_mode and open_basedir.
All times are UTC + 1 hour
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/