Technical information leak
Need
Protection of sensitive technical information from unauthorized access
Context
- Usage of PHP for server-side scripting and web development
- Usage of PHP for server-side scripting and web development
Description
Non compliant code
<?php
// get phpinfo
ob_start();
phpinfo();
$info = ob_get_contents();
ob_end_clean();
// display phpinfo
echo "<pre>$info</pre>";
?>
The above code is a simple PHP script that gets and displays the PHP configuration information using the phpinfo() function. This function outputs a large amount of information about the current state of PHP, including compilation options and extensions, version, server information and environment, OS version information, paths, master and local values of configuration options, HTTP headers, and the PHP License.
This information is extremely useful when debugging, but it also exposes a lot of sensitive information about the system, such as the server version, PHP version, loaded PHP extensions, and server configuration. This can be used by an attacker to identify potential vulnerabilities in the system and exploit them.
Steps
- Remove the phpinfo() function as it exposes sensitive information about the PHP environment, server, and other configurations.
- If you need to display PHP configuration information, consider creating a custom script that only shows the necessary details.
- Ensure that error reporting is turned off in production environments to prevent leakage of sensitive information.
- Regularly update and patch your server and PHP to the latest versions to avoid known vulnerabilities.
- Configure your server to minimize the information provided in HTTP headers and service banners.
Compliant code
<?php
// get phpinfo
// ob_start();
// phpinfo();
// $info = ob_get_contents();
// ob_end_clean();
// display phpinfo
// echo "<pre>$info</pre>";
?>
The original code was vulnerable because it used the phpinfo() function, which displays detailed information about the current state of PHP, including the PHP compilation options and extensions, the PHP version, server information and environment (if compiled as a module), the PHP environment, OS version information, paths, master and local values of configuration options, HTTP headers, and the PHP License. This information can be used by attackers to find potential vulnerabilities in your system.
The fixed code simply comments out the phpinfo() function and the echo statement that displays the information. This prevents the leakage of sensitive information about the PHP environment, server, and other configurations.
In addition to this, you should also consider the following security measures:
- If you need to display PHP configuration information, consider creating a custom script that only shows the necessary details.
- Ensure that error reporting is turned off in production environments to prevent leakage of sensitive information.
- Regularly update and patch your server and PHP to the latest versions to avoid known vulnerabilities.
- Configure your server to minimize the information provided in HTTP headers and service banners.