I recently posted an image on why you shouldn’t put phpinfo() calls in your code.
There were a couple of comments from people asking “why not?”
Here’s why not.
- Go to Google
- Search for inurl:phpinfo
- Check out the results
At the time of writing there were 4 pages on the first result page that were broadcasting their settings.
Here’s another fun one. Search for “inurl:phpinfo root”. Lots more.
There’s a bunch of information that you will see.
- PHP Version (which you can then check against for security vulnerabilites) – You’d be surprised how many PHP 4.3 installations there are out there.
- Which extensions are loaded (which may also have vulnerabilities)
- Where all of the website files are
- The username of the web server. The second search will show up some scaring results.
- And much, much more!