2.6 Million Domains and ~45,000 Exposed Phpinfo() Later… the Story of Unprotecte...
source link: https://hackernoon.com/26-million-domains-and-45000-exposed-phpinfo-later-the-story-of-unprotected-phpinfo
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
After scanning 2.6 million domains for exposed .git directories (link to the article), .env (link to the article) and .DS_Store (link to the article) files, I did the same scan for phpinfo-files like info.php or phpinfo.php.
In the first part of this article, I will explain what phpinfo is and what can be extracted from it. In the second part I will talk about the sensitive information I found.
scan stats
What is phpinfo()?
phpinfo() is a function which displays information about the configuration of PHP and the server. It helps PHP developers to see which modules are active and which versions of these modules are running on the server.
Example phpinfo()
Are the data presented with phpinfo() dangerous?
On the first glance this information is not sensitive. And many developers miss to delete the phpinfo files on the production environment. But oh boy, that is not the case. After analysing the results of my scan of all the 2.6 million domains, I came to another conclusion about phpinfo().
I found over 45,000 phpinfo() pages.
Vulnerable versions of PHP
Many many years ago, I started learning PHP 4, and yes it is still running on some servers… wtf. I did the scan in October 2022. Since 28th of November 2022 PHP 7.4 and everything before is deprecated, so no more PHP 7.x only PHP 8.x is supported. But look for yourself.
PHP versions
Check your PHP Version: if < 8: 😟 else: 🙂
Vulnerable versions of ImageMagick
ImageMagick is a library to manipulate images with PHP. Some older versions had some severe security issues. From about one third we could extract the ImageMagick version. 90% of these libraries are outdated.
ImageMagick versions
Vulnerable versions of server software (like nginx, Apache or Microsoft IIS)
Often the server version is visible in the phpinfo data. Quite a lot of used servers use an deprecated version.
Server versions (Apache, nginx, IIS and others)
It is best practise to disable the server header or at least the server version.
Vulnerable versions of openssl
Another interesting module, where you can find the version information in the phpinfo data is openssl. Openssl is a toolkit for cryptography and secure communication. It is widely adopted and used. In the past there where some prominent security issues with this library (Do you remember heartbleed?)
From the versions extracted from our data set 1/3 of the used openssl libraries is outdated.
OpenSSL versions
Insecure PHP configurations
If you run a PHP web application, you should consider to enable or disable some settings to prevent information leaks and security issues in the first place.
Error reporting
On a productive system you should disable any kind of error reporting to the user. Through error reports and stack traces an attacker can gain valuable intel about your application.
display-errors
Disabled functions
In PHP you can disable some functions. It makes sense to disable some dangerous functions. For example the exec
or passthru
because these functions allows an attacker to execute system commands. Just under 1 per thousand PHP configurations use this option and disable all dangerous PHP functions.
disabled-functions
Allow url fopen / Allow url include / Open-basedir
In PHP there are other settings, which you have to use very consciously. For example, whether files may be opened from external sources or whether includes may be loaded from external sources. Very few PHP setups make restrictions.
Following are the statistics for the following settings:
Allow url fopen
allow-url-fopen
Allow url include
allow-url-include
Open basedir
open-basedir
Sensitive data leak 💀
The information about the server and PHP configuration may help an attacker to retrieve knowledge about possible exploits and running modules on the server. But the really juicy stuff are the sensitive data which can be exposed via phpinfo() like environment variables or the $_SERVER vars. There I found database passwords, email credentials, private keys, API secrets, Stripe live keys, credentials to cloud databases and message queues and encryption keys.
I think one hoster has a setup issue with all of his customers. The database credentials are exposed via the environment variables of all of many of his customers.
Environment variables 🤯
And $_SERVER["XXX"], also 😱
WAF bypass
In the $_SERVER vars of PHP i found about 500 direct server IP addresses of web applications which should be protected by a WAF (Web Application Firewall, like Cloudflare). When you know the direct IP address of the server, you can bypass all protection mechanims of the WAF by directly access the web application.
Cloudflare bypass with direct server IP
Conclusion
What should I say: 🤯. I was very surprised about what was found in the phpinfo(). Every PHP developer should think about what can be leaked through public accessible phpinfo() data. You should not deploy phpinfo() to the production server. Or if you need to, place the file in a password protected folder.
Also update your server software, so you get all the latest security fixes.
Check your server manually, with a nuclei template or with a service like scan.nan.io.
The Web Development and eCommerce Writing Contest is brought to you by Elastic Path in partnership with HackerNoon. Publish your thoughts and experiences on #eCommerce or #web-development to win a cash prize!
Elastic Path is the only commerce company making Composable Commerce accessible for tech teams with unique product merchandising requirements and complex go-to-market strategies. Explore our product today!
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK