1. Introduction
PHPinfo Information Disclosure occurs when a PHP file containing the ‘phpinfo()’ function is accessible on a web server. This allows attackers to gather sensitive information about the server’s configuration, potentially aiding further attacks. Web servers running PHP are typically affected. A successful exploit could reveal versions of software installed and internal environment variables, impacting confidentiality by exposing system details.
2. Technical Explanation
The vulnerability arises from publicly accessible files created for debugging or included by default in some PHP applications that call the ‘phpinfo()’ function. An attacker can simply request this file via a web browser to view detailed server information. No authentication is required. The Common Weakness Enumeration (CWE) identifier for this issue is 200.
- Root cause: Unnecessary exposure of debugging information through the ‘phpinfo()’ function.
- Exploit mechanism: An attacker sends an HTTP request to a URL hosting a PHP file containing the ‘phpinfo()’ function, such as http://example.com/info.php. The server executes the script and returns its output in HTML format.
- Scope: All web servers running PHP with accessible ‘phpinfo()’ files are affected. Specific versions of PHP do not directly cause this vulnerability; it is a configuration issue.
3. Detection and Assessment
Confirming the presence of a vulnerable file is straightforward. A thorough assessment involves scanning all web directories for such files.
- Quick checks: Use a web browser to attempt access common paths like /info.php, /phpinfo.php, or /status.php.
- Scanning: Nessus plugin ID 10423 can detect accessible ‘phpinfo()’ pages. OpenVAS also has relevant scans. These are examples only and may require updates.
- Logs and evidence: Web server access logs should be checked for requests to files containing “phpinfo()”. Look for HTTP GET requests returning HTML output with the string “PHP Version”.
curl -I http://example.com/info.php4. Solution / Remediation Steps
Removing the affected file(s) is the primary solution. This should be done carefully to avoid disrupting legitimate applications.
4.1 Preparation
- Ensure you have access to the file system and understand which directories contain PHP files. A roll back plan is simply restoring the backed-up files.
- Change windows may be needed for production systems; approval from a change management team might be required.
4.2 Implementation
- Step 1: Identify all files containing ‘phpinfo()’. Use commands like `find /var/www -name “*.php” | xargs grep “phpinfo()”`.
- Step 3: Restart the web server to ensure changes take effect. Use commands like `systemctl restart apache2` or `systemctl restart nginx`.
4.3 Config or Code Example
Before
After
// File removed - no code present4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this issue.
- Practice 1: Least privilege – limit the permissions of web server processes and users to reduce potential damage if a file is compromised.
- Practice 2: Secure defaults – avoid including debugging files in production deployments by default.
4.5 Automation (Optional)
A simple script can automate the removal process, but caution is advised.
#!/bin/bash
find /var/www -name "*.php" | xargs grep "phpinfo()" | awk '{print $1}' | while read file; do
echo "Removing file: $file"
rm -f "$file"
done5. Verification / Validation
Confirm the fix by attempting to access the previously vulnerable URL and verifying that it no longer displays ‘phpinfo()’ output.
- Post-fix check: Use a web browser or `curl -I http://example.com/info.php`. The response should be a 404 Not Found error, or another appropriate error code.
- Re-test: Repeat the quick checks from Section 3; no ‘phpinfo()’ pages should be accessible.
- Monitoring: Monitor web server access logs for any unexpected errors related to missing files.
curl -I http://example.com/info.php6. Preventive Measures and Monitoring
Proactive measures can reduce the risk of this vulnerability.
- Baselines: Implement a security baseline that prohibits debugging files in production environments.
- Asset and patch process: Regularly review web server configurations for unnecessary or insecure settings.
7. Risks, Side Effects, and Roll Back
Removing files could disrupt legitimate applications if they rely on the ‘phpinfo()’ function.
- Roll back: Restore the backed-up web server files.
8. References and Resources
Links related to this specific vulnerability.
- Vendor advisory or bulletin: http://php.net/manual/en/function.phpinfo.php