Archive for the ‘Apache PHP’ Category

PHPINFO on the home page

Wednesday, December 17th, 2014

A recent audit found the homepage of an Apache server with phpinfo() information displaying. Phpinfo() is a valuable debugging tool as it contains all EGPCS (Environment, GET, POST, Cookie, Server) data. Really useful for debugging and information gathering if you want to attack a system.

If you are not used to handling Apache, the obvious question is what to do?

The server in question for whatever reason; didn’t have a regular home page.  Probably a test environment or a “quick fix” for a problem.

The obvious solution is to get this information out of the home page.  A quick examination of the index.php file showed:

<?php
phpinfo();
?>

It would be simple to disable phpinfo() or remove the entry but the resulting page would be blank and to some in the PHP world; this is the “White Page of Death” which could cause confusion and waste time.

Since there wasn’t a home page; a simple print command was used to display a message.  For this example “hello:”

<?php
print("Hello");
?>

This eliminates the problem but we can go further by disabling phpinfo(). This is accomplished by a change in the php.ini file.

; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
; http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.disable-functions
disable_functions = phpinfo

This requires restarting httpd.

phpinfo() can be restarted by simply placing a “;” in the disable_functions line and restarting httpd.

Audit answered; now back to our regularly scheduled entertainment.

Disabling phpinfo

Friday, December 12th, 2014

Penetration testing is something every IT group should perform as it can point out things which are often overlooked.

Such was the case of a small Apache server which uses PHP to provide an internal service. A recent PEN test showed the phpinfo function was enabled and it was the default page.

Phpinfo is a useful debugging tool as it will contain the EGPCS (Environment, GET, POST, Cookie, Server) data. This data is very useful for somebody who would want to attack the server. It is something that should be disabled.

If you never work with or rarely work with PHP, the obvious question is “How?”

Phpinfo is controlled through the php.ini file on the server. If the default parameters were used, it will exist in the /etc directory. If you are not sure, you can review the phpinfo information.  In my case, http://<server name or ip>  (I did mention this was a small server right?  Defaults).

There are other ways to disable the function but the best way is at the main php.ini file.

edit the php.ini file and look for disable_functions.

If you have a tightly controlled server, there will be other entries on that line.  Simply add :  ,phpinfo

In my case, the line looked like: disable_functions = phpinfo

After that, save your work and restart http by entering: service httpd restart

Phpinfo no longer displayed information.