Why you should be careful with phpinfo

I recently posted an image on why you shouldn’t put phpinfo() calls in your code.

There were a couple of comments from people asking “why not?”

Here’s why not.

  1. Go to Google
  2. Search for inurl:phpinfo
  3. Check out the results

At the time of writing there were 4 pages on the first result page that were broadcasting their settings.

Here’s another fun one.  Search for “inurl:phpinfo root”.  Lots more.

There’s a bunch of information that you will see.

  1. PHP Version (which you can then check against for security vulnerabilites) – You’d be surprised how many PHP 4.3 installations there are out there.
  2. Which extensions are loaded (which may also have vulnerabilities)
  3. Where all of the website files are
  4. The username of the web server.  The second search will show up some scaring results.
  5. And much, much more!

Related posts

Leave a Comment