phpinfo() Output Detected
Summary#
Invicti identified a phpinfo() output.
phpinfo() is a debug functionality that prints out detailed information on both the system and the PHP configuration.
Impact#
An attacker can obtain information such as:
- Exact PHP version.
- Exact OS and its version.
- Details of the PHP configuration.
- Internal IP addresses.
- Server environment variables.
- Loaded PHP extensions and their configurations.
This information can help an attacker to gain more information on the system. After gaining detailed information, the attacker can research known vulnerabilities for that system under review. The attacker can also use this information during the exploitation of other vulnerabilities.
Actions To Take#
- Remove pages that call phpinfo() from the web server.
- You can disable phpinfo() by using global php configurations.
Classifications#
Invicti Security Insights
- Sven Morgenroth Talks About PHP Object Injection Vulnerabilities on Paul’s Security Weekly Podcast
- End of Support for PHP 5 and PHP 7.0
- The Powerful Resource of PHP Stream Wrappers
- Sven Morgenroth Talks About PHP Type Juggling on Paul’s Security Weekly Podcast
- Detailed Explanation of PHP Type Juggling Vulnerabilities
Vulnerability Index
You can search and find all vulnerabilities
Select Category
OR
Search Vulnerability
Tags
Related Vulnerabilities
