PHP Classes

How to Prevent PHPInfo Exploit by Using An Alternative That Only Executes When the PHP Developer Wants by Using the Package PHPInfo Guard: Protected replacement for the phpinfo() function

Recommend this page to a friend!
     
  Info   Example   View files Files   Install with Composer Install with Composer   Download Download   Reputation   Support forum   Blog    
Last Updated Ratings Unique User Downloads Download Rankings
2024-05-31 (4 months ago) RSS 2.0 feedNot yet rated by the usersTotal: 38 This week: 1All time: 10,933 This week: 39Up
Version License PHP version Categories
phpinfoguard 1.0.0GNU General Publi...5PHP 5, Language, Security
Description 

Author

This package provides a protected replacement for the phpinfo() function.

It provides a script that can alter the php.ini configuration file to make another script load an alternative version of the phpinfo() function.

The package provides a class with the alternative phpinfo() function.

This function will check a configuration value to determine if the original phpinfo() function should be executed or show an error telling that the phpinfo() function is disabled.

Innovation Award
PHP Programming Innovation award winner
June 2024
Winner
phpinfo() is a useful function that many developers use to check PHP configuration values used in the current environment in which PHP is running.

The information provided by the phpinfo() function may be sensitive and can be exploited by people with bad intentions.

This package provides an alternative version to the phpinfo() function that only executes when a configuration variable is set to enable the presentation of the original phpinfo() function output.


Manuel Lemos
Picture of Eric Jumba
  Performance   Level  
Name: Eric Jumba is available for providing paid consulting. Contact Eric Jumba .
Classes: 8 packages by
Country: United States United States
Age: 35
All time rank: 3832499 in United States United States
Week rank: 23 Up2 in United States United States Up
Innovation award
Innovation award
Nominee: 4x

Winner: 2x

Recommendations

protect the phpinfo() command
add a password to run the phpinfo() function

Example

<?php

function updatePhpIni($prependFile)
{
   
// Locate the php.ini file
   
$phpIniFile = php_ini_loaded_file();
    if (!
$phpIniFile) {
        throw new
Exception("Unable to locate php.ini file.");
    }

   
// Read the php.ini file
   
$iniContent = file_get_contents($phpIniFile);
    if (
$iniContent === false) {
        throw new
Exception("Unable to read php.ini file.");
    }

   
// Check if auto_prepend_file is already set
   
$autoPrependPattern = '/^auto_prepend_file\s*=\s*.*$/m';
    if (
preg_match($autoPrependPattern, $iniContent)) {
       
// Update the existing directive
       
$iniContent = preg_replace($autoPrependPattern, "auto_prepend_file = \"$prependFile\"", $iniContent);
    } else {
       
// Add the directive
       
$iniContent .= PHP_EOL . "auto_prepend_file = \"$prependFile\"" . PHP_EOL;
    }

   
// Write the updated content back to the php.ini file
   
if (file_put_contents($phpIniFile, $iniContent) === false) {
        throw new
Exception("Unable to write to php.ini file.");
    }

    echo
"Updated php.ini successfully.\n";
}

try {
   
$prependFile = __DIR__ . '/../bootstrap.php';
   
updatePhpIni($prependFile);
} catch (
Exception $e) {
    echo
"Error: " . $e->getMessage() . "\n";
    exit(
1);
}


Details

PhpInfoGuard

PhpInfoGuard is an innovative PHP package designed to enhance security by globally protecting the phpinfo() command. This package ensures that the phpinfo() function can only be executed under controlled conditions, preventing unauthorized access to sensitive PHP configuration details. Ideal for developers and system administrators looking to secure their PHP environments, PhpInfoGuard provides a simple yet powerful solution to a common security concern.

Installation

To install PhpInfoGuard, use Composer:

composer require jumbaeric/phpinfoguard

Upon installation, the package will automatically update your php.ini file to include the necessary auto_prepend_file directive, streamlining the setup process.

Features

  • Global Protection: Secures the phpinfo() command globally across all PHP scripts and command-line executions.
  • Easy Configuration: Simple configuration settings allow you to enable or disable the phpinfo() function as needed.
  • Automated Setup: Automatically configures the auto_prepend_file directive in php.ini for hassle-free integration.
  • Lightweight and Efficient: Minimal performance overhead while providing robust security.

Configuration

Set the initial state of the phpinfo() function in the config/phpinfo_guard.php file:

return [
    'enabled' => false,
];

Usage

To control the execution of the phpinfo() function, use the following commands:

use PhpInfoGuard\PhpInfoGuard;

PhpInfoGuard::enable(); // Enables phpinfo() execution
PhpInfoGuard::guardedPhpInfo(); // Executes phpinfo() if enabled

PhpInfoGuard::disable(); // Disables phpinfo() execution
PhpInfoGuard::guardedPhpInfo(); // Outputs "phpinfo() is disabled."

Security Benefits

  • Prevent Unauthorized Access: Restrict access to PHP configuration details, reducing the risk of exposure to sensitive information.
  • Mitigate Security Risks: Protect against potential attacks that exploit the phpinfo() function to gather server information.

Keywords and Tags

  • PHP Security
  • Protect phpinfo()
  • Secure PHP Configuration
  • PHP Guard
  • PHP Info Protection
  • PHP Security Package
  • Automated PHP Security
  • PHP Environment Security
  • Global PHP Security

Conclusion

PhpInfoGuard is an essential tool for any PHP developer or system administrator focused on enhancing the security of their PHP environment. By providing robust protection for the phpinfo() function, this package helps safeguard against unauthorized access and potential security threats. Install PhpInfoGuard today to secure your PHP configurations effectively.


  Files folder image Files (8)  
File Role Description
Files folder imageconfig (1 file)
Files folder imageexamples (1 file)
Files folder imagescripts (1 file)
Files folder imagesrc (1 file)
Files folder imagetests (1 file)
Accessible without login Plain text file bootstrap.php Aux. Auxiliary script
Accessible without login Plain text file composer.json Data Auxiliary data
Accessible without login Plain text file README.md Doc. Documentation

  Files folder image Files (8)  /  config  
File Role Description
  Accessible without login Plain text file phpinfo_guard.php Aux. Auxiliary script

  Files folder image Files (8)  /  examples  
File Role Description
  Accessible without login Plain text file example.php Aux. Auxiliary script

  Files folder image Files (8)  /  scripts  
File Role Description
  Accessible without login Plain text file update_php_ini.php Example Example script

  Files folder image Files (8)  /  src  
File Role Description
  Plain text file PhpInfoGuard.php Class Class source

  Files folder image Files (8)  /  tests  
File Role Description
  Plain text file PhpInfoGuardTest.php Class Class source

The PHP Classes site has supported package installation using the Composer tool since 2013, as you may verify by reading this instructions page.
Install with Composer Install with Composer
 Version Control Unique User Downloads Download Rankings  
 100%
Total:38
This week:1
All time:10,933
This week:39Up