Exposure of sensitive system information
Description
The 'phpinfo' function may reveal sensitive information about your environment, such as PHP version, configuration, and other details that could be used by an attacker.
Examples
Insecure Code
php
phpinfo();Secure Code
php
// phpinfo();Remediation
Remove or comment out the 'phpinfo' function call to prevent exposure of sensitive system information.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0753 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-497 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | sensitive information, exposure |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |
References
- https://www.php.net/manual/en/function.phpinfo
- https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php