Monday, November 23, 2009

Protecting your phpinfo(), sort of.

SkyHi @ Monday, November 23, 2009
404 Not Found
//PHPMYADMIN/config/config.inc.php?p=phpinfo();: 1 Time(s)
//admin/config/config.inc.php?p=phpinfo();: 1 Time(s)
//dbadmin/config/config.inc.php?p=phpinfo();: 1 Time(s)
//myadmin/config/config.inc.php?p=phpinfo();: 1 Time(s)
//mysql/config/config.inc.php?p=phpinfo();: 1 Time(s)
//p/m/a/config/config.inc.php?p=phpinfo();: 1 Time(s)
//php-my-admin/config/config.inc.php?p=phpinfo();: 1 Time(s)
//phpMyAdmin/config/config.inc.php?p=phpinfo();: 1 Time(s)
//phpmyadmin/config/config.inc.php?p=phpinfo();: 1 Time(s)
//pma/config/config.inc.php?p=phpinfo();: 1 Time(s)


Server config: /etc/php.ini

disable_functions = "phpinfo"

Programmer:

The truly security-conscious developer should write their application with security in mind from the beginning. It will relieve headaches and help to plug potential security holes down the road.

To that end, when replacing Slackware with Ubuntu Server on my 64-bit server, I needed some information about the configuration of PHP 5 on Ubuntu, because it differed from my old Slackware box.

To add to my server configuration’s complexity, I use an FHS /srv layout, which stores my web sides on a separate RAID array from the system’s root partition. Since I will never use Apache 2’s “default” configuration for a site, I needed to use it to serve phpinfo(), but in a way that wouldn’t leave me open in the future if I somehow forgot to remove it.

I came up with this simple script that should work in most cases (nearly all if your development machine is on the same LAN or VPN as your server).

if ($_SERVER['REMOTE_ADDR'] == '192.168.2.89')
{
phpinfo();
} else {
echo "

You're like, not authorized to view this.

";
}
?>

Not something to be relied upon, but it’s a quick way to cover your butt if you forget to clean up after yourself.