Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In your php.ini, you can add phpinfo to disable_functions:
disable_functions = phpinfo
But I don't think it makes much difference to security. I think all the information can be found by other means.
Not in a quiet manner, unless its over a 10 yr. scan period.
Using that option in php.ini is much better than not using it, IMO.
There ARE ways to prevent such leakage of information...it just requires dedication and know-how. You can leverage other technologies to disallow such traffic, also (such as modsecurity or snort-inline).
Well I was thinking of stopping users that can upload php scripts from getting that information. If you disable phpinfo, you still can use functions like ini_get_all, get_loaded_extensions, php_ini_scanned_files, and so on. You can also look at the $_SERVER array, and you can read a lot of files.
PHP safe_mode helps a bit, but many web servers with safe_mode turned on still allow perl scripts. So I think it's a bit "shallow" - it just makes it a bit harder to get such information. I read somewhere, that there will be no safe_mode in PHP 6. I guess the reason is, that it just gives server admins a false sense of security.
My point is, if you allow users to upload and run PHP code on your server in the first place, denying for example phpinfo does not add much to security.
Well I was thinking of stopping users that can upload php scripts from getting that information. If you disable phpinfo, you still can use functions like ini_get_all, get_loaded_extensions, php_ini_scanned_files, and so on. You can also look at the $_SERVER array, and you can read a lot of files.
PHP safe_mode helps a bit, but many web servers with safe_mode turned on still allow perl scripts. So I think it's a bit "shallow" - it just makes it a bit harder to get such information. I read somewhere, that there will be no safe_mode in PHP 6. I guess the reason is, that it just gives server admins a false sense of security.
My point is, if you allow users to upload and run PHP code on your server in the first place, denying for example phpinfo does not add much to security.
The thing is, if those types of calls are required to do the job, then there is not much that can be done, other than continuously observe the logs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.