Today I was doing a little research and I happened across a site that displayed it’s phpinfo() function. I wasn’t even sure what I was looking at at first because it was just such an insane wealth of reconnaissance information on the server in question that I just couldn’t believe my eyes. It’s my new favorite amusing Google Dork: intitle:phpinfo() inurl:com
Let’s take an example, like ns7.webmasters.com. What can we derive out of looking at their phpinfo? Where should we start?
- Compile time configuration information. So if I wanted to know configuration options for PHP, I’ve pretty much got that at my disposal, not to mention path information. Bummer.
- Register_globals is apparently turned on - lucky for us.
- libcurl/7.15.1 OpenSSL 0.9.8a 11 Oct 2005 zlib/1.2.2 libidn/0.5.18 - lots of outdated software.
- Hashing engines - at least we don’t have to muddle around and guess how data is hashed too much once we do break in
- ImageMagick 5.5.7 - another outdated version, love it.
- pfpro.defaulthost test-payflow.verisign.com - could be interesting if we can compromise the DNS, but it’s only a test. This could be more interesting on a production machine.
- libTidy Release 1 September 2005 - more outdated software.
- Apache/1.3.34 Ben-SSL/1.57 (Unix) mod_gzip/18.104.22.168a mod_fastcgi/2.4.2 mod_throttle/3.1.2 Chili!Soft-ASP/3.6.2 FrontPage/22.214.171.12435 mod_perl/1.29 PHP/4.4.2 - hmmm… vulnerable to the expect XSS issue among other issues.
Why would you ever put something like this on your server, and more importantly why would you ever allow a search engine to spider it? These sorts of information disclosure issues can really hurt companies, and unfortunately it’s trivial to find them (less so on targeted servers, but for un-targeted worms this is great recon). Scary.