Penetration testing is something every IT group should perform as it can point out things which are often overlooked.
Such was the case of a small Apache server which uses PHP to provide an internal service. A recent PEN test showed the phpinfo function was enabled and it was the default page.
Phpinfo is a useful debugging tool as it will contain the EGPCS (Environment, GET, POST, Cookie, Server) data. This data is very useful for somebody who would want to attack the server. It is something that should be disabled.
If you never work with or rarely work with PHP, the obvious question is “How?”
Phpinfo is controlled through the php.ini file on the server. If the default parameters were used, it will exist in the /etc directory. If you are not sure, you can review the phpinfo information. In my case, http://<server name or ip> (I did mention this was a small server right? Defaults).
There are other ways to disable the function but the best way is at the main php.ini file.
edit the php.ini file and look for disable_functions.
If you have a tightly controlled server, there will be other entries on that line. Simply add : ,phpinfo
In my case, the line looked like: disable_functions = phpinfo
After that, save your work and restart http by entering: service httpd restart
Phpinfo no longer displayed information.
techdork 