Security risks of having public phpinfo() page?

apache-2.2 php security phpinfo
5,635

It would entirely depend on how confident you are about your PHP install. If you think it is rock solid, even if an attacker knows everything about your PHP install, then you could leave it in place.

But really, why would you leave this in place on a production system anyway? There may be exploits you are not aware of in your version of PHP - people may now or in future scan for your version of PHP, or particular options you have enabled, because they know how to carry out these exploits. So by keeping this up publically, you added yourself to their hitlist.

If you want to keep it up, you can put it in a password protected directory, or just switch it on when you need it. Given the small cost of these options, I wouldn't take the risk of keeping it public.

Share:
5,635
Nick Peranzi
Author by

Nick Peranzi

Updated on September 17, 2022

Comments

  • Nick Peranzi
    Nick Peranzi almost 2 years

    I have a publicly accessible page which just has 

    <?php phpinfo(); >

    I use it for debugging purposes while we're in beta, but is there any harm in leaving it accessible when its a live site?

  • danlefree
    danlefree over 13 years
    Wrapping the function call in a conditional usually does the trick - i.e. <?php if ( $_SERVER['REMOTE_ADDR'] == '1.2.3.4' ) phpinfo(); ?> (where 1.2.3.4 is your IP address)
  • Nick Peranzi
    Nick Peranzi over 13 years
    Thanks @dunxd - and thanks @danlefree for the tip... there are so many sites that still expose their phpinfos!
  • dunxd
    dunxd over 13 years
    There are a lot of sites that expose phpmyadmin too - don't follow the examples of low security of other people. They may not value their data or integrity of their server as much as you value yours.
  • justinhartman
    justinhartman over 6 years
    While @dunxd's solution is thorough and perfect I really like @danlefree's solution to the problem. I'm not sure why I never thought of this before and I will be using this model going forward. To remain on topic, I also wanted to add I too am of the opinion that exposing PHP publically in a phpinfo() function is not a wise idea.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to use max_post_size and upload_max_filesize in an Apache <Location> directive?
Why do we really need apache + php if php can run as web server?
How do I prevent PHP from executing shell commands?
Is adding users to the group www-data safe on Debian?
what chmod and owner:group settings are best for a web application?
Isolating Apache virtualhosts from the rest of the system
Best PHP.ini settings to improve security
php not redirecting and logging in
Penetration testing for PHP security vulnerabilities
Symfony2 Authentication "login_check" path not found