Results 1 to 5 of 5
  1. #1
    Join Date
    Aug 2004

    PHP Leaking Login Info To The World

    Check this url:

    Go down to or search for

    I am not sure why PHP is leaking important info to the world. It is extremely. It is so easy for any script to get access of all system data, thinking about a shared hosting enviroment.

  2. #2
    Join Date
    Apr 2001
    Well thats generally why its suggested not to place a phpinfo.php file in a publicly accessable location. If you're in so much fear, add phpinfo to the disabled functions in your php.ini.

  3. #3
    Join Date
    Oct 2002
    State of Disbelief
    While this is a bad thing to do, perhaps posting the link to it and making it even easier for people to find is worse? You probably should have just shown a snip, with the IP, etc blurred out or removed...
    Having problems, or maybe questions about WHT? Head over to the help desk!

  4. #4
    Join Date
    Aug 2003
    Yes, this is a bit odd. You can always remove the function instead, so you don't have to worry about this issue. - Shared and Reseller Hosting Solutions on cPanel/WHM Linux Servers - Discount ModernBill Licenses, Hosted Installations, and Professional Services
    :: Pay for your discount ModernBill license with PayPal
    :: admin[at] :: AIM: CybexH

  5. #5
    Join Date
    Nov 2004
    Huh? I'm confused. This isn't leaking important information to the *world*. It's only leaking it to the programmer writing the .php scripts. And nearly all of that information being 'leaked' is incredibly useful and necessary when writing PHP scripts. phpinfo() is not something that should ever be left lying around for random people to run. It's not insecure as such, it just discloses more information about your web server than is sensible.

    Oh, and if the world can put PHP scripts on your server when they feel like it, you've got much bigger problems than this!!

    And yes, in a shared hosting environment, it is easy for someone to get access to some of your data, especially if your shared environnment doesn't use suexec/phpsuexec. However, if your files are correctly protected, it's fairly difficult for them to do it, and if your data is in a MySQL database, it's considerably more difficult. The point is, there is no such thing as "perfectly secure", anything that is that secure is generally highly complex and really unuseable. One example was a bank that was using a vendor built security gateway to run some of their code. It was so complex that none of the development or admin staff understood it and in the end it was only used for a short time and then discarded. Even on a non-shared server, if a smart hacker is determined enough your data will be readable. You just need to make it hard enough to discourage casual attackers, take great backups, and keep your machines up to date with patches, and not antagonize smart hackers, and you should be fine!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts