Tii Posted September 28, 2009 Share Posted September 28, 2009 Dear php freaks, I'm an aix sysadmin who is filling in for our linux/apache/php expert solving some security issues that popped up after an audit. After having sought for a few hours with google and on forums i will ask a question here. I have an apache webserver running with php version 4.3.9. Is it possible to disable the phpinfo function for this version? In php.ini I have tried two different directives to disable it: safe_mode = on disable_functions = phpinfo After stopping and starting the httpd daemon both directives give me the same result, a test still provides me with phpinfo : / Quote Link to comment https://forums.phpfreaks.com/topic/175807-solved-disabling-phpinfo-on-439-possible/ Share on other sites More sharing options...
PFMaBiSmAd Posted September 28, 2009 Share Posted September 28, 2009 Using disable_functions = phpinfo does work, so it is likely that the php.ini that you were changing is not the one that php is using. What does the phpinfo() output show for the Loaded Configuration File setting? Also, the phpinfo() function should not really be a security issue because you should never leave any script files on a public web server that contains a phpinfo() statement. Quote Link to comment https://forums.phpfreaks.com/topic/175807-solved-disabling-phpinfo-on-439-possible/#findComment-926413 Share on other sites More sharing options...
PFMaBiSmAd Posted September 28, 2009 Share Posted September 28, 2009 And it just occurred to me that some security test probably attempted to inject raw php code into one of your scripts and it was executed. The test code being a phpinfo() function. If so, the issue is not the phpinfo() function, but the fact that raw php code could be injected and executed on your server. What exact problem are you having? Quote Link to comment https://forums.phpfreaks.com/topic/175807-solved-disabling-phpinfo-on-439-possible/#findComment-926418 Share on other sites More sharing options...
Tii Posted September 28, 2009 Author Share Posted September 28, 2009 phpinfo gives: Configuration File (php.ini) Path /etc/php.ini Scan this dir for additional .ini files /etc/php.d I have edited /etc/php.ini with the directives and checked if there are no double entries. /etc/php.d is empty Looking at the phpinfo output the changes to php.ini i made seem actually being loaded: Configuration PHP Core Directive Local Value Master Value allow_call_time_pass_reference Off Off allow_url_fopen On On always_populate_raw_post_data Off Off arg_separator.input & & arg_separator.output & & asp_tags Off Off auto_append_file no value no value auto_prepend_file no value no value browscap no value no value default_charset no value no value default_mimetype text/html text/html define_syslog_variables Off Off disable_classes no value no value disable_functions php.info php.info display_errors On On display_startup_errors On On doc_root no value no value docref_ext no value no value docref_root no value no value enable_dl On On error_append_string no value no value error_log /var/log/httpd/php_error.log /var/log/httpd/php_error.log error_prepend_string no value no value error_reporting 2047 2047 expose_php Off Off extension_dir /usr/lib/php4 /usr/lib/php4 file_uploads On On gpc_order GPC GPC highlight.bg #FFFFFF #FFFFFF highlight.comment #FF8000 #FF8000 highlight.default #0000BB #0000BB highlight.html #000000 #000000 highlight.keyword #007700 #007700 highlight.string #DD0000 #DD0000 html_errors On On ignore_repeated_errors Off Off ignore_repeated_source Off Off ignore_user_abort Off Off implicit_flush Off Off include_path .:/usr/share/pear .:/usr/share/pear log_errors On On log_errors_max_len 1024 1024 magic_quotes_gpc Off Off magic_quotes_runtime Off Off magic_quotes_sybase Off Off max_execution_time 30 30 max_input_nesting_level 64 64 max_input_time 60 60 memory_limit 8M 8M open_basedir no value no value output_buffering no value no value output_handler no value no value post_max_size 8M 8M precision 14 14 register_argc_argv On On register_globals Off Off report_memleaks On On safe_mode On On safe_mode_exec_dir no value no value safe_mode_gid Off Off safe_mode_include_dir /mnt/ff/ /mnt/ff/ sendmail_from no value no value sendmail_path /usr/sbin/sendmail -t -i /usr/sbin/sendmail -t -i serialize_precision 100 100 short_open_tag On On SMTP localhost localhost smtp_port 25 25 sql.safe_mode Off Off track_errors Off Off unserialize_callback_func no value no value upload_max_filesize 2M 2M upload_tmp_dir no value no value user_dir no value no value variables_order EGPCS EGPCS xmlrpc_error_number 0 0 xmlrpc_errors Off Off y2k_compliance On On There are no entries in /var/log/httpd/php_error.log Am i using a the right method to check if it is still a vulnerability? For testing I am using a file named phpinfo.php in the root of the domain: [root@lada html]# cat phpinfo.php <?php phpinfo(); ?> then run that from a browser typing http://lada/phpinfo.php So far it still works. Quote Link to comment https://forums.phpfreaks.com/topic/175807-solved-disabling-phpinfo-on-439-possible/#findComment-926427 Share on other sites More sharing options...
Tii Posted September 28, 2009 Author Share Posted September 28, 2009 In reply to your 2nd post: A penetration test showed that there was the above stated phpinfo.php file in a directory of a webserver. Instead of just removing the file I have been asked to make the phpinfo thing totally non funtional, this because with us it is possible for some (internal) users that have access to particular directories on the webserver to create a phpinfo.php again, which then could be run by anyone once in place. Quote Link to comment https://forums.phpfreaks.com/topic/175807-solved-disabling-phpinfo-on-439-possible/#findComment-926437 Share on other sites More sharing options...
PFMaBiSmAd Posted September 28, 2009 Share Posted September 28, 2009 This - disable_functions php.info php.info is not - phpinfo Quote Link to comment https://forums.phpfreaks.com/topic/175807-solved-disabling-phpinfo-on-439-possible/#findComment-926476 Share on other sites More sharing options...
Tii Posted September 29, 2009 Author Share Posted September 29, 2009 I feel silly but yes that did the trick! Just copy pasted disable_functions = php.info from a page i googled Thanks for your time, i'm a happy panda! Quote Link to comment https://forums.phpfreaks.com/topic/175807-solved-disabling-phpinfo-on-439-possible/#findComment-926919 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.