info.php is there any way to exploit it?

DigitalDUST

you know how the php starters tend to test their page by using this code

<?php

phpinfo();
?>

i found one on a site. can it be exploited in anyway??

let me know. is there a tool to do that or what?

stolzyboy

yeah, we are gonna tell you how to crack into someones site

gimme a break, and why would you want to

Moonglobe

hmmm well while that could well be his intention, im assuming he meant 'are there any vulnerabilities i should be aware of for my own sake?'

just a guess.... if he is some cracker i'd ask him banned, but other wise.....
moon

DigitalDUST

its not like Im going to destroy them. I just want to know how it is worked. so I can prevent their site from being exploited.

thats fine if you dont trust me.. I just want to learn about how php can execute commands remotely

stolzyboy

well, that said, you can see where their config files are, their paths, just about any config options, stuff installed, etc...

but i wouldn't say it is an exploit persay, it just isn't advisable to have out in the open

my suggestion is to protect it in a folder via .htaccess so only passworded people can view the information, or only upload it when you need to see it, then delete it

tekky

Originally posted by stolzyboy
well, that said, you can see where their config files are, their paths, just about any config options, stuff installed, etc...

but i wouldn't say it is an exploit persay, it just isn't advisable to have out in the open

my suggestion is to protect it in a folder via .htaccess so only passworded people can view the information, or only upload it when you need to see it, then delete it

I generally put something like...

if ($_GET['somevar'] != 'somerandomstringandnumbers')
{
     echo "Yah right...\n";
     exit;
}
.....// rest of page here

Weedpacket

http://www.phpbuilder.com/board/showthread.php?s=&threadid=10243287&highlight=phpinfo+vulnerability

DigitalDUST

I ran a exploit on my own webserver and found out that i could access my c:<path> using the

[url]http://[/url]<yourserver>/php/php.exe?c:\ <path> in the url

how do i stop this from allowing any user to access to my files???

I am using apache 1.3.14 with PHP 4.0

the error code was:

Common File/Directory Exposure. Possible misconfiguration problem in the web server that allow unauthorized remote users to steal confidential documents or gain information about the web server's host machine.

any idea what I should do to prevent this??