Revealing phpinfo()

OWASP 2013-A6 OWASP 2017-A3 CAPEC-346 CWE-213 ISO27001-A.18.1.3 WASC-13

phpinfo is a builtin function to output PHP’s configuration. The phpinfo() function outputs information like PHP compilation options, PHP extensions, OS information, PHP license and much more sensitive information. This function was introduced for developers to get configuration details and predefined variables on a given system. The phpinfo() is also a debugging tool as it consists of all the information a developer wants to know about a server. If anyone uploads the phpinfo() function to their webroot/index.php file, they can see their server’s configuration settings.

For an attacker, the information printed by the phpinfo() function has vital significance. Using this information, the attacker can efficiently plan a successful attack. As this function shows the version of PHP, the attacker will search for the vulnerabilities that version of PHP has. If an attacker gets hold of phpinfo(), he can destroy the web application.

Some methods also related to phpinfo

Example

The following code is a successful implementation of phpinfo().

        <?php
        phpinfo();
        ?>

    

Impact

The impacts include:-

  • Directory traversal: As the attacker will get information about the filesystem through the phpinfo(), he will be able to access sensitive files through directory traversal attack.
  • Cross-site scripting attack: An attacker can use the information to trigger a cross-site scripting attack.
  • SQL injection: The attacker can perform SQL injection attack on the web application.

Using this vulnerability, the attacker can also

  • execute OS commands on the underlying operating system.
  • get access to the internal IPs of the network.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Disable phpinfo() function on the application’s PHP configuration.
  • Remove all the pages that call phpinfo() function.

Latest Articles