Friday, September 26, 2008

Everyone loves php.ini

On a very rare occasion where I blog anything technical about my job, but this has just caught my attention. It was written way back in 2006, but I did the google and looks like it still applies today.

Taken from the website:
Everyone knows the famous PHP phpinfo(), which provide the programmer with invaluable information about his server configuration and set up. This is a useful tool as soon as one get a new server, and it is also a tool to talk with any administrator.

Yet, after usage, it is usually recommended to remove it, or to restrict its access to few people. Indeed, phpinfo may be dangerous by itself : in other times, it was even flawed with XSS injections. Even when secured, phpinfo() publish information about your architecture, and it is always recommended to keep it from privy eyes.

Sadly enough, the common habit to set up a phpinfo page on every web site is now so widely spread that even search engines are starting to pick them up : there are literally thousands of phpinfo indexed on Yahoo and Google. Just hit a search with the words 'phpinfo()' 'GoogleBot' and "Zend Scripting Language Engine" on google.

Read more: PHP configuration statistics

No comments:

Post a Comment