phpinfo.php file and place it in the root directory of whatever domain I happen to be working on. These types of informational files employ PHP’s handy phpinfo() function to display a concise summary of all of your server’s variables, which may then be referenced for debugging purposes, bragging rights, and so on.While this sort of thing is normally okay, I frequently forget to remove the file and just leave it sitting there for the entire world to look at. This of course is a big “no-no” for site security, because the
phpinfo.php file contains a hefty amount of information about my server, including stuff like:That, and tons more may be easily accessed quite easily by just about anyone looking for it. Of course, nefarious scum could then use this information to detect a vulnerability, exploit it, and feel better about their pathetic, wasted lives.
So, wise readers, it is my advice to you (as well to myself) to remember to protect or remove any
phpinfo.php or other sensitive files that you may have sitting around on your server. An information-disclosure attack may seem like a low priority affair, but if the attacker locates a vulnerability, you’re screwed.How to protect your phpinfo and other sensitive files with htaccess
If you are constantly referring to the file and would rather not delete it, consider adding the following slice of HTAccess to keep it private for your IP only:# protect phpinfo
<Files php-info.php>
Order Deny,Allow
Deny from all
Allow from 123.456.789
</Files>Allow from 123.456.789 lines to do so.Likewise, to protect other files, you can replace “
php-info.php” with the name of the file, or use regular expressions to pattern-match specific file sets.Remember, when it comes to sensitive data, take an old wizard’s advice:
0 comments:
Post a Comment