php 将 phpinfo() 暴露给最终用户会带来哪些安全问题?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3196011/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What security problems could come from exposing phpinfo() to end users?
提问by Yahel
If a phpinfo()dump is shown to an end user, what is the worst that a malicious user could do with that information? What fields are most unsecure? That is, if your phpinfo()was publicly displayed, after taking it down, where should you watch/focus for malicious exploits?
如果phpinfo()向最终用户显示转储,恶意用户可以利用该信息做的最坏的事情是什么?哪些领域最不安全?也就是说,如果您的phpinfo()公开展示,在将其撤下后,您应该在哪里观察/关注恶意漏洞?
采纳答案by Michael Jones
Knowing the structure of your filesystem might allow hackers to execute directory traversal attacks if your site is vulnerable to them.
如果您的站点容易受到攻击,那么了解您的文件系统的结构可能允许黑客执行目录遍历攻击。
I think exposing phpinfo() on its own isn't necessarily a risk, but in combination with another vulnerability could lead to your site becoming compromised.
我认为单独暴露 phpinfo() 不一定有风险,但与另一个漏洞结合使用可能会导致您的网站受到损害。
Obviously, the less specific info hackers have about your system, the better. Disabling phpinfo() won't make your site secure, but will make it slightly more difficult for them.
显然,黑客对您的系统的具体信息越少越好。禁用 phpinfo() 不会使您的网站安全,但会使他们稍微困难一些。
回答by Mark Baker
Besides the obvious like being able to see if register_globalsis On, and where files might be located in your include_path, there's all the $_SERVER($_SERVER["DOCUMENT_ROOT"]can give clues to define a relative pathname to /etc/passwd) and $_ENVinformation (it's amazing what people store in $_ENV, such as encryption keys)
除了能够查看是否register_globals为 On 以及文件可能位于 include_path 中的明显位置之外,还有所有$_SERVER($_SERVER["DOCUMENT_ROOT"]可以提供定义相对路径名的线索/etc/passwd)和$_ENV信息(人们存储在 中的内容令人惊讶$_ENV,例如加密密钥) )
回答by symcbean
The biggest problem is that many versions make XSS attacks simple by printing the contents of the URL and other data used to access it.
最大的问题是许多版本通过打印 URL 的内容和用于访问它的其他数据来简化 XSS 攻击。
回答by Pekka
A well-configured, up-to-date system can afford to expose phpinfo()without risk.
一个配置良好、最新的系统可以phpinfo()无风险地公开。
Still, it is possible to get hold of so much detailed information - especially module versions, which could make a cracker's life easier when newly-discovered exploits come up - that I think it's good practice notto leave them up. Especially on shared hosting, where you have no influence on everyday server administration.
尽管如此,还是有可能获得如此多的详细信息——尤其是模块版本,当新发现的漏洞出现时,它可以使破解者的生活更轻松——我认为最好不要放弃它们。特别是在共享主机上,您对日常服务器管理没有影响。
回答by mcandre
Hackers can use this information to find vulnerabilities and hack your site.
黑客可以使用此信息来查找漏洞并入侵您的网站。
回答by Artefacto
Honestly, not much. Personally, I frequently leave phpinfo()pages up.
老实说,不多。就个人而言,我经常离开phpinfo()页面。
If you have some serious misconfigurations (e.g. PHP is running as root), or you're using old and vulnerable versions of some extensions or PHP itself, this information will be more exposed. On the other hand, you also wouldn't be protected by not exposing phpinfo(); you should have instead take care of having your server up-to-date and correctly configured.
如果您有一些严重的配置错误(例如 PHP 以 root 身份运行),或者您正在使用某些扩展或 PHP 本身的旧版本和易受攻击的版本,则此信息将更容易暴露。另一方面,你也不会因为不暴露而受到保护phpinfo();您应该注意让您的服务器保持最新并正确配置。
