What security problems could come from exposing phpinfo() to end users?
Solution 1:
Knowing the structure of your filesystem might allow hackers to execute directory traversal attacks if your site is vulnerable to them.
I think exposing phpinfo() on its own isn't necessarily a risk, but in combination with another vulnerability could lead to your site becoming compromised.
Obviously, the less specific info hackers have about your system, the better. Disabling phpinfo() won't make your site secure, but will make it slightly more difficult for them.
Solution 2:
Besides the obvious like being able to see if register_globals
is On, and where files might be located in your include_path, there's all the $_SERVER
($_SERVER["DOCUMENT_ROOT"]
can give clues to define a relative pathname to /etc/passwd
) and $_ENV
information (it's amazing what people store in $_ENV
, such as encryption keys)
Solution 3:
The biggest problem is that many versions make XSS attacks simple by printing the contents of the URL and other data used to access it.
http://www.php-security.org/MOPB/MOPB-08-2007.html
Solution 4:
A well-configured, up-to-date system can afford to expose phpinfo()
without risk.
Still, it is possible to get hold of so much detailed information - especially module versions, which could make a cracker's life easier when newly-discovered exploits come up - that I think it's good practice not to leave them up. Especially on shared hosting, where you have no influence on everyday server administration.