Stop Exposing Your phpinfo() Page Publicly

PHP has a command called phpinfo() that lists all the configuration and system information in a handy web page. This can be useful for a fresh system, an upgraded system, and there are varius reasons tomake it available. However, it is unsafe to reveal unnecessary system information to the world, especially if the system has not been secured by an ethical hacker who understands Network Security.

Versions of PHP prior to the 5.2.1 release have the typical phpinfo() page, but versions of PHP that are 5.2.1 and later have an anti-search engine feature. This new search engine feature prevents search engines from indexing the data. Remember, once the search engine(s) grabs that information and caches it, the data is up for good. Getting Goolg eor Yahoo to remove the information is unlikely, else in the least very painful. Simply prevent such indexing by not posting your phpinfo() pubilcally, or by upgrading to PHP 5.2.1.

If you are pre-5.2.1 or need to have your phpinfo() made available to certain team members who aren’t local, there are options. You can hide the phpinfo() page where others can’t find it, but if you use Google Toolbar or another search engine toolbar, it will announce the secret address to the engine, which wil then likely index it. Better than hiding it is the option of filtering access to it. Either restrict access by IP Address or create a user name-login system. Whatever method you use, it is better to prevent public distribution of your phpinfo() page.

Leave a Reply