Ecommerce software home
Shopping Cart Software Forum for Ecommerce Templates
 
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

Find us on Facebook Follow us on Twitter View our YouTube channel
Search our site
Forum Search
Google Site Search
Buy now for ...
How it works
General help
 All Forums
 Technical
 PHP (Unix / Linux / Apache) versions
 Urgent Security Vulnerability: phpinfo.php
Author « Topic »  

ITZAP
Ecommerce Template Guru

Australia
1017 Posts

Posted - 11/05/2024 :  17:56:01  
I just received an email suggesting that one of my websites has an "Urgent Security Vulnerability".
Vulnerability Type: Information Disclosure.

"The file phpinfo.php on the server contains a call to the phpinfo() function, which outputs detailed information about the PHP environment. This information includes the PHP version, server details, loaded extensions, environment variables, and more. An attacker can use this data to identify weaknesses in the server configuration and potentially craft specific attacks against the server."

"Server Fingerprinting: Attackers can fingerprint the server based on the disclosed PHP version, server software, and installed modules, allowing them to identify specific vulnerabilities to exploit."

"Sensitive Information Disclosure: The output may include sensitive information such as environment variables, file paths, and configuration settings that could be used to further compromise the server."

"Targeted Attacks: With the detailed information provided by the PHP Info page, attackers can perform targeted attacks against known vulnerabilities in the disclosed PHP version or installed extensions."

On that basis, I simply deleted the phpinfo.php file from all my website servers.

Gary

dbdave
ECT Moderator

USA
10406 Posts
Posted - 11/06/2024 :  08:00:50  
I Gary, I'm thinking that's not part of the ect package.
Perhaps it's something put there by your host?
I have used it myself for diagnostic work, but again, I don't think this is part of the ect package and most folks should not have that on their server.

Thanks,
David

Vince
Administrator

42747 Posts
Posted - 11/06/2024 :  12:34:57  
Hi Gary, David
No, that's not part of the ect package and is normally just a script with the PHP function "phpinfo()" in it. You did the right thing just deleting it and if you should ever need it, just make a file with that function again.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

steven vaccaro
Ecommerce Template Guru

USA
1045 Posts
Posted - 11/11/2024 :  07:58:12  
I found a file with a different name, it looks like this. Should I delete it?

dbdave
ECT Moderator

USA
10406 Posts
Posted - 11/11/2024 :  08:19:21  
Hi Steven, yes that is the file - it's helpful for diagnostics, but may also help hackers better understand your server settings.
I expect some host put it there in case you need it.

Thanks,
David

steven vaccaro
Ecommerce Template Guru

USA
1045 Posts
Posted - 11/11/2024 :  08:34:09  
Thanks Dave
  « Topic »  
Jump To:
Shopping Cart Software Forum for Ecommerce Templates © 2002-2022 ecommercetemplates.com
This page was generated in 0.03 seconds. Snitz Forums 2000