H3-2022-0045¶

PHPinfo Page Exposed

Description¶

The PHP configuration page (phpinfo()) is a tool within the PHP software that displays comprehensive information about the current PHP environment setup. This tool is part of the PHP scripting language, commonly used for server-side web development. When this page is publicly accessible due to misconfiguration, an attacker can exploit it by simply navigating to the URL hosting the phpinfo() page in a web browser to gain critical insights into the server's PHP settings and environment.

Impact¶

Exploiting this misconfiguration allows an attacker to gather sensitive information such as the PHP version, server details, installed modules, environment variables, and various paths within the server setup. This information can potentially be used to craft more precise attacks against the server or applications running on it.

References¶

• PHPinfo page
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor