Latest TweetsWordPress and the Blank Target Vulnerability (aka rel noopener + noreferrer): perishablepress.com/wordpress-… #WordPress #security #html
Perishable Press

Is it Secret? Is it Safe?

[ Enjoying the Evening ] Whenever I find myself working with PHP or messing around with server settings, I nearly always create a phpinfo.php file and place it in the root directory of whatever domain I happen to be working on. These types of informational files employ PHP’s handy phpinfo() function to display a concise summary of all of your server’s variables, which may then be referenced for debugging purposes, bragging rights, and so on.

While this sort of thing is normally okay, I frequently forget to remove the file and just leave it sitting there for the entire world to look at. This of course is a big “no-no” for site security, because the phpinfo.php file contains a hefty amount of information about my server, including stuff like:

  • The web server version
  • The IP address of the host
  • The version of the operating system
  • The root directory of the web server
  • Configuration information about the remote PHP installation
  • The username of the user who installed php and if they are a SUDO user

That, and tons more may be easily accessed quite easily by just about anyone looking for it. Of course, nefarious scum could then use this information to detect a vulnerability, exploit it, and feel better about their pathetic, wasted lives.

Remember to protect or remove any phpinfo.php or other sensitive files that you may have sitting around on your server.

So, wise readers, it is my advice to you (as well to myself) to remember to protect or remove any phpinfo.php or other sensitive files that you may have sitting around on your server. An information-disclosure attack may seem like a low priority affair, but if the attacker locates a vulnerability, you’re screwed.

How to protect your phpinfo and other sensitive files with htaccess

If you are constantly referring to the file and would rather not delete it, consider adding the following slice of HTAccess to keep it private for your IP only:

# protect phpinfo
<Files php-info.php>
	Order Deny,Allow
	Deny from all
	Allow from 123.456.789
</Files>

Edit this snippet to include your specific IP address, along with any other IPs that may require access. Just use additional Allow from 123.456.789 lines to do so.

Likewise, to protect other files, you can replace “php-info.php” with the name of the file, or use regular expressions to pattern-match specific file sets.

Remember, when it comes to sensitive data, take an old wizard’s advice:

Keep it secret. Keep it safe.

Jeff Starr
About the Author Jeff Starr = Web Developer. Book Author. Secretly Important.
Archives
35 responses
  1. Joseph McCullough March 17, 2010 @ 11:11 pm

    Ouch, that seems like that could turn into a major problem. I haven’t had to deal with any of that, but thanks for the heads up.

    Tell me if this would be a good idea, I’ve never done it before, just popped into my head

    I include a docheading.php in all of my files that contains the doctype, charset, php constants, and a reference to my global css style sheet. If you do that or something similar, could you possibly tag this logic with it?

    check if file phpinfo.php exists (using file_exists() )
    If it exists
    Mail to webmaster a message saying that phpinfo is still in the directory
    AND BAD THINGS WILL ENSUE.

    So you’ll get an email letting you know to delete it. You could also create a boolean value to make sure if a notification email has been sent it doesn’t continue to send every time a page loads.

    Just a silly thought :)

  2. There is absolutely no need to call this file
    phpinfo.php. You could as a weak step to protect, call it lkdfeorDasistidelIebederMATRosen.php, why not?

    I am always frustrated

    – to find these files at servers
    – to find these files named phpinfo.php

    no phantasy, no security!

  3. Bjorn Johansen March 18, 2010 @ 12:39 am

    I totally agree with Connie here. It is absolutely no need to mess around with .htaccess.

    If you want IP based security, you could just rewrite your phpinfo.php like this (Yes, it’s a one liner):

    <?php if ($_SERVER['REMOTE_ADDR']=='123.456.789') phpinfo(); ?>

  4. Ben Everard March 18, 2010 @ 12:48 am

    +1, why not write a post it and place it in the middle of your screen, then you won’t forget to delete it.

    Equally like Connie said, name it super-cali-fragilistic-expiali-docious.php

    Ben

  5. Frank Martin March 18, 2010 @ 1:32 am

    I can’t understand why you’d ever create a separate file for this at all? Surely you wont need to reference this file enough to warrant keeping it there for the duration of a project.
    Personally I’d use the same method as Bjorn then delete straight away, after all how long does it take to write that line of code into an existing file. Plus if it’s smack bang in the middle of your screen you can’t carry on working without deleting it..

  6. patriciomg March 18, 2010 @ 1:33 am

    IMHO there’s no need to play with the .htaccess file for this. I see 3 alternatives:

    1. Just ask to your sysadmin for the info you need. Done!

    2. Create your script, upload it, load it, save the result in your pc, delete the script from your live system. done! The configuration in a live system does not change oft.

    3. On virtual hosting there’s always a cpanel tool (or similar). Which means, there’s no need to create a phpinfo script.

    I wonder why someone wants to have sensitive info in a live system.. Maybe I’m still sleepy, better I go for my coffee ration :)

    regards.
    Pat.

  7. Completely agree with Connie

  8. Bart Jacobs March 18, 2010 @ 3:16 am

    To start, I never place a phpinfo file in the website root. I am always amused at the cleverness of web programmers and how they do their best to protect their work. I learn every single day.

    Connie’s right, though, be creative with naming your files (especially temp files).

  9. I don’t know if you ever did a post about this (and apologies if you did). But I just started learning the tricks and ways of htacess. I’d be interested in learning more if you could compile some of the more common handy things that pros use now and again.

  10. Rod Homor March 18, 2010 @ 1:55 pm

    Another thing you could do is ONLY call and display the output functions IF a particular SUPER-GLOBAL variable is set in the query string. So, even if you forget to delete the file, you would be the only person to know WHAT URL value to use for that file / page to display the ‘sensitive’ data.

    For example:

    <?
    if ( isset ( $_GET['super_secret_variable_name'] )) {
         phpinfo();
    }

    else {
         echo ( 'Are you forgetting something!!??!!' );
         exit;
    }

  11. After reading this post I decided to check the server on which this was posted.

    https://perishablepress.com/php-info.php

  12. Hello, very nice your post. I created one on my site, based on their words, but translated into Portuguese – BR.
    Congratulations on your blog.

    URL: http://blog.webcres.com.br/como-proteger-o-seu-phpinfo-e-outros-arquivos-confidenciais-com-htaccess/

[ Comments are closed for this post ]