After scanning 2.6 million domains for exposed .git directories (link to the article), .env (link to the article) and .DS_Store (link to the article) files, I did the same scan for phpinfo-files like info.php or phpinfo.php.

In the first part of this article, I will explain what phpinfo is and what can be extracted from it. In the second part I will talk about the sensitive information I found.

What is phpinfo()?

phpinfo() is a function which displays information about the configuration of PHP and the server. It helps PHP developers to see which modules are active and which versions of these modules are running on the server.

Are the data presented with phpinfo() dangerous?

On the first glance this information is not sensitive. And many developers miss to delete the phpinfo files on the production environment. But oh boy, that is not the case. After analysing the results of my scan of all the 2.6 million domains, I came to another conclusion about phpinfo().

I found over 45,000 phpinfo() pages.

Vulnerable versions of PHP

Many many years ago, I started learning PHP 4, and yes it is still running on some servers… wtf. I did the scan in October 2022. Since 28th of November 2022 PHP 7.4 and everything before is deprecated, so no more PHP 7.x only PHP 8.x is supported. But look for yourself.

Vulnerable versions of ImageMagick

ImageMagick is a library to manipulate images with PHP. Some older versions had some severe security issues. From about one third we could extract the ImageMagick version. 90% of these libraries are outdated.

Vulnerable versions of server software (like nginx, Apache or Microsoft IIS)

Often the server version is visible in the phpinfo data. Quite a lot of used servers use an deprecated version.

Vulnerable versions of openssl

Another interesting module, where you can find the version information in the phpinfo data is openssl. Openssl is a toolkit for cryptography and secure communication. It is widely adopted and used. In the past there where some prominent security issues with this library (Do you remember heartbleed?)

From the versions extracted from our data set 1/3 of the used openssl libraries is outdated.

Insecure PHP configurations

If you run a PHP web application, you should consider to enable or disable some settings to prevent information leaks and security issues in the first place.

Error reporting

On a productive system you should disable any kind of error reporting to the user. Through error reports and stack traces an attacker can gain valuable intel about your application.

Disabled functions

In PHP you can disable some functions. It makes sense to disable some dangerous functions. For example the exec or passthru because these functions allows an attacker to execute system commands. Just under 1 per thousand PHP configurations use this option and disable all dangerous PHP functions.

Allow url fopen / Allow url include / Open-basedir

In PHP there are other settings, which you have to use very consciously. For example, whether files may be opened from external sources or whether includes may be loaded from external sources. Very few PHP setups make restrictions.

Following are the statistics for the following settings:

Allow url fopen

Allow url include

Open basedir

Sensitive data leak 💀

The information about the server and PHP configuration may help an attacker to retrieve knowledge about possible exploits and running modules on the server. But the really juicy stuff are the sensitive data which can be exposed via phpinfo() like environment variables or the $_SERVER vars. There I found database passwords, email credentials, private keys, API secrets, Stripe live keys, credentials to cloud databases and message queues and encryption keys.

I think one hoster has a setup issue with all of his customers. The database credentials are exposed via the environment variables of all of many of his customers.

WAF bypass

In the $_SERVER vars of PHP i found about 500 direct server IP addresses of web applications which should be protected by a WAF (Web Application Firewall, like Cloudflare). When you know the direct IP address of the server, you can bypass all protection mechanims of the WAF by directly access the web application.

Conclusion

What should I say: 🤯. I was very surprised about what was found in the phpinfo(). Every PHP developer should think about what can be leaked through public accessible phpinfo() data. You should not deploy phpinfo() to the production server. Or if you need to, place the file in a password protected folder.

Also update your server software, so you get all the latest security fixes.

Check your server manually, with a nuclei template or with a service like scan.nan.io.