Page 1 of 1

safe to show PHP info - phpinfo () ?

Posted: Thu Nov 15, 2007 8:42 am
by jramaro
Hi,
Im talkin to a outside coder guy about writing some GNuPG code to interact with PHP mail forms.
He wants to see a copy of phpinfo ()

Is there anything in that display that could be used malicious?

Anything you wouldn't want outside sources to see?

Thank You

Posted: Thu Nov 15, 2007 10:00 am
by Jonah Bron
I'm not totally sure, but I would read phpinfo() myself, and ask him specificly what information he needs me to give him. I know one thing it reveals: the directories all the way down to the php installation, but there might be more...

Posted: Thu Nov 15, 2007 10:26 am
by Kieran Huggins
if you think about it, you're trusting a developer with a lot more than a *look* at your server...

but yes, a phpinfo is pretty safe to share.

Posted: Thu Nov 15, 2007 11:31 am
by John Cartwright
Kieran Huggins wrote:if you think about it, you're trusting a developer with a lot more than a *look* at your server...

but yes, a phpinfo is pretty safe to share.
It is not safe to share, and you likely should not. Divulging path information and other setting configurations can give useful information on where to start the attack :)

Will sharing it probably cause harm to the one guy? Probably not..

Posted: Thu Nov 15, 2007 12:45 pm
by s.dot
It could be potentially unsafe, but it would boil down to the security of your server and applications. The settings alone pose no threat.

It would only give a potential attacker places to start, which in some cases, is more than they had to begin with.

Posted: Thu Nov 15, 2007 2:26 pm
by jramaro
ah, Thanks

I think i will ask him what he needs to see specifically then
and then I'll let ya know what it is.

Thank You