Information Leakage / Phpinfo() page Found
phpinfo() page found is an information leakage vulnerability that occurs in web and API applications that use PHP. It arises when an application exposes too much information about the underlying environment, making it easier for attackers to find exploitable vulnerabilities. According to the Common Weakness Enumeration (CWE) directory, this type of vulnerability is classified as CWE-200 and is identified as an “Information Exposure” vulnerability. Furthermore, the OWASP Testing Guide lists this vulnerability as one of the most common web application security flaws.
This vulnerability allows attackers to have access to server information, such as the software version, configuration settings and other sensitive information, allowing them to launch more sophisticated attacks. The severity of this vulnerability depends on the criticality of the application and the information exposed. The more sensitive the information, the higher the risk.
The most effective solution to this vulnerability is to disable the phpinfo() page and any other script that could provide too much information about the system and configuration. By doing so, attackers will be unable to access this information and therefore will not be able to exploit any vulnerabilities.
The following code example shows a sample phpinfo() page with detailed information about the system:
<?php phpinfo(); ?>