What information in phpinfo is sensitive?

I was told that phpinfo contains sensitive data so you should delete it in production environment. But this afternoon I took a good look at it and found nothing interesting. So here's my question. What on earth is sensitive? How's an attacker gonna use such information? Or what will s/he know from the config page?


An example.

If your phpinfo page reveals that you are using Windows Server 2008 and PHP 5.6, with certain PHP modules, then the attackers can easily take control of your server because,

  • Windows server 2008 is end of life, and security issues won't be fixed by Microsoft any more.
  • PHP 5.6 is end of life, and security issues are no longer fixed.
  • Certain modules have their own vulnerabilities which open the door to the attackers.

Even if you use latest Windows and PHP releases, zero day vulnerabilities are out there.

The lesser information you reveal to the outside world, the more difficult for the attackers to exploit.

You'd better hire a security consultant and learn more.


In general the security concern is that the more information your infrastructure and applications "give away" (by disclosing product names, versions and capabilities) the less work an adversary has to do to gather information and the easier it becomes for them to quickly target specific (known) vulnerabilities.

That makes it best practice in production environments to among many others suppress version numbers, disable debug code/options (like phpinfo()) , suppress error messages and more...