phpinfo() page on live site

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I recently took over a site for a client and the original developer
has a phpinfo.php page.  I can see how this is interesting during
development on a dev site, but it seems like giving a lot of
information to the world to have it on the live site.

My question, am I overreacting or is this as dumb a move as I feel it


Re: phpinfo() page on live site

Quoted text here. Click to load it

AIR phpinfo() allows javascript injection which means someone could
abuse the link to steal cookies and hijack a session.

The information it exposes is only really a problem if there are known
(to the attacker, at least) issues in the version of software you are
using, but IME most attackers don't bother looking first before
throwing all their attacks at your box.



Re: phpinfo() page on live site


Quoted text here. Click to load it

It's OK to have a phpinfo() page somewhere in a protected admin section
of a site. I also do that, because from time to time I need to know some
details about the PHP installation and the server's environment. But it
should not be available to the normal visitor.

Quoted text here. Click to load it

I would remove it or at least restrict the access.


Site Timeline