A recent audit found the homepage of an Apache server with phpinfo() information displaying. Phpinfo() is a valuable debugging tool as it contains all EGPCS (Environment, GET, POST, Cookie, Server) data. Really useful for debugging and information gathering if you want to attack a system.
If you are not used to handling Apache, the obvious question is what to do?
The server in question for whatever reason; didn’t have a regular home page. Probably a test environment or a “quick fix” for a problem.
The obvious solution is to get this information out of the home page. A quick examination of the index.php file showed:
<?php phpinfo(); ?>
It would be simple to disable phpinfo() or remove the entry but the resulting page would be blank and to some in the PHP world; this is the “White Page of Death” which could cause confusion and waste time.
Since there wasn’t a home page; a simple print command was used to display a message. For this example “hello:”
<?php print("Hello"); ?>
This eliminates the problem but we can go further by disabling phpinfo(). This is accomplished by a change in the php.ini file.
; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. ; http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.disable-functions disable_functions = phpinfo
This requires restarting httpd.
phpinfo() can be restarted by simply placing a “;” in the disable_functions line and restarting httpd.
Audit answered; now back to our regularly scheduled entertainment.