PHP Apache phpinfo hide environment variables_问答_开发者

PHP Apache phpinfo hide environment variables

开发者 https://www.devze.com 2023-03-15 05:25 出处：网络

Is it possible to obfuscate or remove environment variables from phpinfo? If not, is the only alternative to display the phpinfo function?

Is it possible to obfuscate or remove environment variables from phpinfo?

If not, is the only alternative to display the phpinfo function?

Thinking about it further, someone could easi开发者_开发百科ly print_r($_SERVER) and get the credentials as well. What would be a solution to this?

clarification This is in regards to Apache Environment Variables.

You can use the flags parameter to determine which sections are displayed/omitted.

Environment variables are value 16. The maximum value is 127; so to only omit environment variables, send value 111.

Show everything

<?php phpinfo(); ?>
<?php phpinfo(127); ?>
<?php phpinfo(-1); ?>
<?php phpinfo(INFO_ALL); ?>
<?php phpinfo(INFO_GENERAL | INFO_CREDITS | INFO_CONFIGURATION | INFO_MODULES | INFO_ENVIRONMENT | INFO_VARIABLES | INFO_LICENSE); ?>

Show only environment variables

<?php phpinfo(16); ?>
<?php phpinfo(INFO_ENVIRONMENT); ?>

Show everything EXCEPT environment variables

<?php phpinfo(111); ?>
<?php phpinfo(INFO_ALL & ~INFO_ENVIRONMENT); ?>

Constants

Name (constant)     | Value | Description
INFO_GENERAL        |  1    | The configuration line, php.ini location, build date, Web Server, System and more.
INFO_CREDITS        |  2    | PHP Credits. See also phpcredits().
INFO_CONFIGURATION  |  4    | Current Local and Master values for PHP directives. See also ini_get().
INFO_MODULES        |  8    | Loaded modules and their respective settings. See also get_loaded_extensions().
INFO_ENVIRONMENT    | 16    | Environment Variable information that's also available in $_ENV.
INFO_VARIABLES      | 32    | Shows all predefined variables from EGPCS (Environment, GET, POST, Cookie, Server).
INFO_LICENSE        | 64    | PHP License information. See also the » license FAQ.
INFO_ALL            | -1    | Shows all of the above.

Documentation can be found here

The Suhosin patch does this:

Ignores GET, POST, COOKIE variables with the following names: GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST _SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS

other than that, I am not aware of a way to cleanly hide those variables.

That said, it shouldn't be really necessary in the first place - external visitors shouldn't be able to run phpinfo(), or dump arbitrary variables.