[SOLVED] Disabling phpinfo on 4.3.9 possible?

[Tii]

Dear php freaks,

 

I'm an aix sysadmin who is filling in for our linux/apache/php expert solving some security issues that popped up after an audit.

After having sought for a few hours with google and on forums i will ask a question here.

I have an apache webserver running with php version 4.3.9.

Is it possible to disable the phpinfo function for this version?

 

In php.ini I have tried two different directives to disable it:

safe_mode = on

disable_functions = phpinfo

 

After stopping and starting the httpd daemon both directives give me the same result, a test still provides me with phpinfo : /

 

 

[PFMaBiSmAd]

Using disable_functions = phpinfo does work, so it is likely that the php.ini that you were changing is not the one that php is using. What does the phpinfo() output show for the Loaded Configuration File setting?

 

Also, the phpinfo() function should not really be a security issue because you should never leave any script files on a public web server that contains a phpinfo() statement.

[PFMaBiSmAd]

And it just occurred to me that some security test probably attempted to inject raw php code into one of your scripts and it was executed. The test code being a phpinfo() function. If so, the issue is not the phpinfo() function, but the fact that raw php code could be injected and executed on your server.

 

What exact problem are you having?

[Tii]

phpinfo gives:

 

Configuration File (php.ini) Path  /etc/php.ini 

Scan this dir for additional .ini files  /etc/php.d

 

I have edited /etc/php.ini with the directives and checked if there are no double entries.

/etc/php.d is empty

 

Looking at the phpinfo output the changes to php.ini i made seem actually being loaded:

 

Configuration

PHP Core

Directive Local Value Master Value

allow_call_time_pass_reference Off Off

allow_url_fopen On On

always_populate_raw_post_data Off Off

arg_separator.input & &

arg_separator.output & &

asp_tags Off Off

auto_append_file no value no value

auto_prepend_file no value no value

browscap no value no value

default_charset no value no value

default_mimetype text/html text/html

define_syslog_variables Off Off

disable_classes no value no value

disable_functions php.info php.info

display_errors On On

display_startup_errors On On

doc_root no value no value

docref_ext no value no value

docref_root no value no value

enable_dl On On

error_append_string no value no value

error_log /var/log/httpd/php_error.log /var/log/httpd/php_error.log

error_prepend_string no value no value

error_reporting 2047 2047

expose_php Off Off

extension_dir /usr/lib/php4 /usr/lib/php4

file_uploads On On

gpc_order GPC GPC

highlight.bg #FFFFFF #FFFFFF

highlight.comment #FF8000 #FF8000

highlight.default #0000BB #0000BB

highlight.html #000000 #000000

highlight.keyword #007700 #007700

highlight.string #DD0000 #DD0000

html_errors On On

ignore_repeated_errors Off Off

ignore_repeated_source Off Off

ignore_user_abort Off Off

implicit_flush Off Off

include_path .:/usr/share/pear .:/usr/share/pear

log_errors On On

log_errors_max_len 1024 1024

magic_quotes_gpc Off Off

magic_quotes_runtime Off Off

magic_quotes_sybase Off Off

max_execution_time 30 30

max_input_nesting_level 64 64

max_input_time 60 60

memory_limit 8M 8M

open_basedir no value no value

output_buffering no value no value

output_handler no value no value

post_max_size 8M 8M

precision 14 14

register_argc_argv On On

register_globals Off Off

report_memleaks On On

safe_mode On On

safe_mode_exec_dir no value no value

safe_mode_gid Off Off

safe_mode_include_dir /mnt/ff/ /mnt/ff/

sendmail_from no value no value

sendmail_path /usr/sbin/sendmail -t -i /usr/sbin/sendmail -t -i

serialize_precision 100 100

short_open_tag On On

SMTP localhost localhost

smtp_port 25 25

sql.safe_mode Off Off

track_errors Off Off

unserialize_callback_func no value no value

upload_max_filesize 2M 2M

upload_tmp_dir no value no value

user_dir no value no value

variables_order EGPCS EGPCS

xmlrpc_error_number 0 0

xmlrpc_errors Off Off

y2k_compliance On On

 

 

There are no entries in /var/log/httpd/php_error.log

 

Am i using a the right method to check if it is still a vulnerability?

For testing I am using a file named phpinfo.php in the root of the domain:

 

[root@lada html]# cat phpinfo.php

<?php phpinfo(); ?>

 

then run that from a browser typing http://lada/phpinfo.php

 

So far it still works.

 

 

[Tii]

In reply to your 2nd post:

 

A penetration test showed that there was the above stated phpinfo.php file in a directory of a webserver.

Instead of just removing the file I have been asked to make the phpinfo thing totally non funtional, this because with us it is possible for some (internal) users that have access to particular directories on the webserver to create a phpinfo.php again, which then could be run by anyone once in place.

[PFMaBiSmAd]

This - disable_functions php.info php.info 

 

is not - phpinfo

[Tii]

I feel silly but yes that did the trick!

Just copy pasted disable_functions = php.info from a page i googled 

 

Thanks for your time, i'm a happy panda!