Disabling phpinfo

Friday, December 12th, 2014

Penetration testing is something every IT group should perform as it can point out things which are often overlooked.

Such was the case of a small Apache server which uses PHP to provide an internal service. A recent PEN test showed the phpinfo function was enabled and it was the default page.

Phpinfo is a useful debugging tool as it will contain the EGPCS (Environment, GET, POST, Cookie, Server) data. This data is very useful for somebody who would want to attack the server. It is something that should be disabled.

If you never work with or rarely work with PHP, the obvious question is “How?”

Phpinfo is controlled through the php.ini file on the server. If the default parameters were used, it will exist in the /etc directory. If you are not sure, you can review the phpinfo information.  In my case, http://<server name or ip>  (I did mention this was a small server right?  Defaults).

There are other ways to disable the function but the best way is at the main php.ini file.

edit the php.ini file and look for disable_functions.

If you have a tightly controlled server, there will be other entries on that line.  Simply add :  ,phpinfo

In my case, the line looked like: disable_functions = phpinfo

After that, save your work and restart http by entering: service httpd restart

Phpinfo no longer displayed information.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: