paint-brush
2.6 Million Domains and ~45,000 Exposed Phpinfo() Later… the Story of Unprotected Phpinfo()by@sdcat
2,656 reads
2,656 reads

2.6 Million Domains and ~45,000 Exposed Phpinfo() Later… the Story of Unprotected Phpinfo()

by sdcatDecember 2nd, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

I scanned 2.6 million domains for exposed phpinfo files. The discoveries where shocking. Many outdated PHP, server or module versions. Many unsafe PHP settings for production systems and quite a lot of sensitive informations are exposed through phpinfo, like database credentials, email accounts, API secrets, access to cloud services or private keys.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - 2.6 Million Domains and ~45,000 Exposed Phpinfo() Later… the Story of Unprotected Phpinfo()
sdcat HackerNoon profile picture



After scanning 2.6 million domains for exposed .git directories (link to the article), .env (link to the article) and .DS_Store (link to the article) files, I did the same scan for phpinfo-files like info.php or phpinfo.php.

In the first part of this article, I will explain what phpinfo is and what can be extracted from it. In the second part I will talk about the sensitive information I found.


scan stats


What is phpinfo()?

phpinfo() is a function which displays information about the configuration of PHP and the server. It helps PHP developers to see which modules are active and which versions of these modules are running on the server.

Example phpinfo()

Are the data presented with phpinfo() dangerous?

On the first glance this information is not sensitive. And many developers miss to delete the phpinfo files on the production environment. But oh boy, that is not the case. After analysing the results of my scan of all the 2.6 million domains, I came to another conclusion about phpinfo().

I found over 45,000 phpinfo() pages.

Vulnerable versions of PHP

Many many years ago, I started learning PHP 4, and yes it is still running on some servers… wtf. I did the scan in October 2022. Since 28th of November 2022 PHP 7.4 and everything before is deprecated, so no more PHP 7.x only PHP 8.x is supported. But look for yourself.

PHP versions


Check your PHP Version: if < 8: 😟 else: 🙂

Vulnerable versions of ImageMagick

ImageMagick is a library to manipulate images with PHP. Some older versions had some severe security issues. From about one third we could extract the ImageMagick version. 90% of these libraries are outdated.

ImageMagick versions

Vulnerable versions of server software (like nginx, Apache or Microsoft IIS)

Often the server version is visible in the phpinfo data. Quite a lot of used servers use an deprecated version.

Server versions (Apache, nginx, IIS and others)

It is best practise to disable the server header or at least the server version.

Vulnerable versions of openssl

Another interesting module, where you can find the version information in the phpinfo data is openssl. Openssl is a toolkit for cryptography and secure communication. It is widely adopted and used. In the past there where some prominent security issues with this library (Do you remember heartbleed?)

From the versions extracted from our data set 1/3 of the used openssl libraries is outdated.

OpenSSL versions

Insecure PHP configurations

If you run a PHP web application, you should consider to enable or disable some settings to prevent information leaks and security issues in the first place.

Error reporting

On a productive system you should disable any kind of error reporting to the user. Through error reports and stack traces an attacker can gain valuable intel about your application.

display-errors


Disabled functions

In PHP you can disable some functions. It makes sense to disable some dangerous functions. For example the exec or passthru because these functions allows an attacker to execute system commands. Just under 1 per thousand PHP configurations use this option and disable all dangerous PHP functions.

disabled-functions


Allow url fopen / Allow url include / Open-basedir

In PHP there are other settings, which you have to use very consciously. For example, whether files may be opened from external sources or whether includes may be loaded from external sources. Very few PHP setups make restrictions.

Following are the statistics for the following settings:


Allow url fopen

allow-url-fopen


Allow url include

allow-url-include


Open basedir

open-basedir

Sensitive data leak 💀

The information about the server and PHP configuration may help an attacker to retrieve knowledge about possible exploits and running modules on the server. But the really juicy stuff are the sensitive data which can be exposed via phpinfo() like environment variables or the $_SERVER vars. There I found database passwords, email credentials, private keys, API secrets, Stripe live keys, credentials to cloud databases and message queues and encryption keys.

I think one hoster has a setup issue with all of his customers. The database credentials are exposed via the environment variables of all of many of his customers.

Environment variables 🤯

And $_SERVER["XXX"], also 😱

WAF bypass

In the $_SERVER vars of PHP i found about 500 direct server IP addresses of web applications which should be protected by a WAF (Web Application Firewall, like Cloudflare). When you know the direct IP address of the server, you can bypass all protection mechanims of the WAF by directly access the web application.

Cloudflare bypass with direct server IP

Conclusion

What should I say: 🤯. I was very surprised about what was found in the phpinfo(). Every PHP developer should think about what can be leaked through public accessible phpinfo() data. You should not deploy phpinfo() to the production server. Or if you need to, place the file in a password protected folder.

Also update your server software, so you get all the latest security fixes.

Check your server manually, with a nuclei template or with a service like scan.nan.io.