Hello,
I recently took over a site for a client and the original developer
has a phpinfo.php page. I can see how this is interesting during
development on a dev site, but it seems like giving a lot of
information to the world to have it on the live site.
My question, am I overreacting or is this as dumb a move as I feel it
is?
Thanks.
On 24 Sep, 21:36, KDawg44
> Hello,
>
> I recently took over a site for a client and the original developer
> has a phpinfo.php page. I can see how this is interesting during
> development on a dev site, but it seems like giving a lot of
> information to the world to have it on the live site.
>
> My question, am I overreacting or is this as dumb a move as I feel it
> is?
>
> Thanks.
AIR phpinfo() allows javascript injection which means someone could
abuse the link to steal cookies and hijack a session.
The information it exposes is only really a problem if there are known
(to the attacker, at least) issues in the version of software you are
using, but IME most attackers don't bother looking first before
throwing all their attacks at your box.
HTH
C.
..oO(KDawg44)
>I recently took over a site for a client and the original developer
>has a phpinfo.php page. I can see how this is interesting during
>development on a dev site, but it seems like giving a lot of
>information to the world to have it on the live site.
It's OK to have a phpinfo() page somewhere in a protected admin section
of a site. I also do that, because from time to time I need to know some
details about the PHP installation and the server's environment. But it
should not be available to the normal visitor.
>My question, am I overreacting or is this as dumb a move as I feel it
>is?
I would remove it or at least restrict the access.
Micha