Re: PHPInfo disabled due to security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Dec 16, 2010, at 10:39 PM, Paul S wrote:

> On Thu, 16 Dec 2010 00:13:31 +0700, "Daniel P. Brown"
> <daniel.brown@xxxxxxxxxxxx> wrote:
> 
> 
>> 
>>    Well, phpinfo() does, by default, divulge some things that could
>> be considered security concerns --- particularly in poorly-managed
>> environments.  Primarily, this is by giving a synopsis of versions and
>> paths of software, but some versions and configurations will also
>> broadcast information about the currently logged-in user (PTS/TTY) in
>> the $_ENV display.  Sure, you can display everything manually that
>> phpinfo() does automatically, but it's easier for some to vilify
>> something because they heard it was bad than to actually address the
>> greater issues.
>> 
>>    In cases like this, I'd agree with Al's response; there are plenty
>> of other web hosts out there.
>> 
> 
> Well, I was hoping for stronger arguments to get that DONE. I would think
> there be something in the PHP license
> that would FORBID disabling functionality. After all, 'phpinfo' is
> essential, really, to achieving secure
> applications, isn't it? My setups are secure, I want to keep it that way.
> Shouldn't hosters be required
> to provide an alternative phpinfo, say behind the login control panel?

I don't know that I would say that phpinfo() is essential. Helpful, yes. A pain in the neck when you need it and you don't have it - absolutely. But, there are ways around it. As daniel had mentioned already, you can call it all manually. If changing hosting is a problem, sit down, take an hour and write your own phpinfo(), all the info you need is in the manual.

> I can't see that anyone could upload a phpinfo command to a properly
> configured server and execute it. I have
> renamed my 'phpinfo.php' file to something innocuous.

You have taken precautions, but it doesn't mean that another fella on the same server did.

> Unfortunately I've found changing hosting companies to often result in a
> lot of work for just as
> obnoxious tech service as the last.

Perhaps writing a bit more portable code would alleviate the extra work. Of course, I do not know your specific situation, so it is not my call if it is even possible. But, the software engineer in me says to spend extra time writing code that can move from server to server easily.
-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux