Detail

Information Disclosure (phpinfo())

Severity: Low

Summary

Netsparker identified an information disclosure (phpinfo()).

phpinfo() is a debug functionality that prints out detailed information on both the system and the PHP configuration.

Impact
An attacker can obtain information such as:
  • Exact PHP version.
  • Exact OS and its version.
  • Details of the PHP configuration.
  • Internal IP addresses.
  • Server environment variables.
  • Loaded PHP extensions and their configurations.
This information can help an attacker gain more information on the system. After gaining detailed information, the attacker can research known vulnerabilities for that system under review. The attacker can also use this information during the exploitation of other vulnerabilities.
Actions To Take
  1. Remove pages that call phpinfo() from the web server.
Classifications
CAPEC-346, WASC-13, OWASP 2013-A5
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

Select Category

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO

NETSPARKER

WEB SECURITY

COMPANY

Netsparker Ltd

  • United Kingdom, (reg. no. 06947644)
  • USA Office: +1 415 877 4450
  • UK Office: +44 (0)20 3588 3840
  • contact@netsparker.com
Copyright © 2018 Netsparker Ltd. All rights reserved. | Privacy Policy