Apache Friends Support Forum

[racman]

Hi All,

I was wondering if there are any security risks from a user getting information about my server when they run the following PHP script:

<?PHP
phpinfo();
?>

This shows a lot of information about my server and programs running on it as well as directory paths.

I am thinking this may be used by a hacker to attack my server. Are there any ways to protect against this and make my server more secure?

Regards,

Racman

[Dave_L]

Yes, that is a security risk.

If you want to keep a phpinfo script on your server, you should place it in a password-protected directory or use some other method to prevent it from being publicly accessible.

[racman]

I DO NOT want to place the script on my server. Why would I want to do that then start to worry about the security issues?

What I want is a way to STOP users on my server getting this information if they run this script from their websites hosted on my server.

[Dave_L]

I see.

There's a PHP configuration setting, disable_functions, that you can use to disable certain functions.
http://www.php.net/manual/en/features.s ... -functions

It looks like it's only settable in php.ini, so it would be global for the server.

But there are other ways in PHP to get some of the information that phpinfo() provides.

Since you're concerned about this kind of security risk, you should also enable settings such as safe_mode and open_basedir.