Security Issue?

Do you believe there is a security issue with letting someone see a phpinfo() page?

For instance, a hosting company wants potential clients to see how php is compiled. Is there a security risk with showing this?

Discuss.

I'd say that depends on the server. The biggest threat about phpinfo() is it reveals version numbers for many things, which lets a potential attacker know what known security holes might be active and worth trying. It also reveals all the php settings which might reveal potential weaknesses in php scripts themselves.

However, if the server is kept up-to-date very well as far as security patches are concerned, I see no problem with having a public phpinfo page. In fact, not revealing a potential customer what they will get makes me suspicious. Are they trying to hide something?

I don't remember who said it, but someone's point was that messages protected with a strong encryption mechanism must not be compromised just because the encryption mechanism becomes widely known. I think it can be applied to this.

I basically agree with tkarkkainen. Thinking you are secure by hiding your system's details is simply "security through obscurity."

Thanks for the link, honcho. It was Kreckhoffs's law I was referring to.

A quote from that Wikipedia page (underline by me):

the output of phpinfo() can be customized by passing it optional constants, which is useful for not displaying information that might be considered vulnerable. that can benefit the hypothetical hosting companies.

further, php.net is open-source, but can you find the phpinfo() file for their site? because i can't. they don't give any potential warnings about it in the manual either. why not? search google for phpinfo.php and it brings up about 93,000 results. are these sites at risk? i don't hear about servers getting hacked "because" of PHP that often.

so i think we're given the impression that it's safe, but as every programmer knows ignorance is not bliss. it very well could be a risk. overall i don't think it's any different from the windows vs open-source argument.

is there a definitive answer? probably not.

I personally keep my phpinfo hidden on my site. Why - there is no need for someone else to see it or how my site is configured. I _could_ have a hole somewhere and not realize it so why advertise it to the whole world.

A shared hosting company is a different animal though. Personally I beleive a shared hosting company should make available it's phpinfo to prospective customers if they request it (though most customers probably never will). Even if it is only available on a temporary page for a finite duration and password protected.

George Carlin says "You have to be realistic about Terrorism" and it all depends on what your site is offering. ie: NASA's website is alot more likely to be a source of attacks than let's say "Grandma's Old style recipe's" site.

Information is power so yes the phpinfo() page is ultimately a security risk. Researching your hosting provider is also key to make sure that your chances of being attacked are lower, because no system is invulnerable. I forone don't even have a phpinfo() page and if a client of mine would want to see that information for their own statisfaction I usually polite explain to them that I will show them by creating the file on the fly, then promptly deleting the page after for security reason and brief dicussiong why so not to alarm them.

On my personal server, I would be quite reluctant to provide my phpinfo; simply because it has a whole lot of information about my computer itself, I'm not a hacker so I don't know what can be done with all that information but I'm sure it wouldn't be good.

Ya, I think it could offer holes, mainly things like, register_globals, knowing that gives alot of hand written PHP scripts an easy way in. (or magic_quotes_gpc). Its not really a threat to well written scripts, but knowing a potential hole in a hand written script running on a smaller site, makes it much easier to get in.

And honestly, depending on what I was hacking it for, I would go for grandma's cookie site instead of nasa, mainly because you wouldn't be caught as easily, and you have a better chance of getting in, especially if your goal is to use it as a source for hacking elsewhere.

Overall, I think it should be provided to clients on request, or potential clients, if you're looking for a quick easy hack, then that would defer most from pursuing it farther to find holes (since you can find thousands on google anyway that may have the holes you're looking for)

For that matter, a shared hosting company could capture all the data from phpinfo() and put it into a text file or a spreadsheet, which could be made available to all who request it. Then you could delete the phpinfo() page forever and still make the data available to those who need to see it.

related - anyone else see the yahoo phpinfo page that was sent out to the PHP mailing list? Pretty interesting.

Please note that the page was taken offline within minutes of the post.

It will not be a threat if you know that your server is secure.
Most of webservers can be hacked even without seeing their phpinfo() anyways....

Hackers/programmers know the threat or the wholes of each version of s/w you are providing them. So, It will facilitate
them and give it a try to hack easily rather than trying here and there.

I believe nothing is secure 100% but, the level of seurity of your site depends widely on how smart is the sys/security admin + The way your site is programmed +...etc.