PHP Classes

How to Prevent PHPInfo Exploit by Using An Alternative That Only Executes When the PHP Developer Wants by Using the Package PHPInfo Guard: Protected replacement for the phpinfo() function

Recommend this page to a friend!
     
  Info   View files Example   View files View files (8)   DownloadInstall with Composer Download .zip   Reputation   Support forum   Blog    
Last Updated Ratings Unique User Downloads Download Rankings
2024-05-31 (4 days ago) RSS 2.0 feedNot yet rated by the usersTotal: 21 This week: 21All time: 11,202 This week: 3Up
Version License PHP version Categories
phpinfoguard 1.0.0GNU General Publi...5PHP 5, Language, Security
Description 

Author

Eric Jumba

This package provides a protected replacement for the phpinfo() function.

It provides a script that can alter the php.ini configuration file to make another script load an alternative version of the phpinfo() function.

The package provides a class with the alternative phpinfo() function.

This function will check a configuration value to determine if the original phpinfo() function should be executed or show an error telling that the phpinfo() function is disabled.

Picture of Eric Jumba
  Performance   Level  
Name: Eric Jumba <contact>
Classes: 5 packages by
Country: United States United States

Level 1 Star

 Innovation award
Innovation award
Nominee: 4x

Winner: 1x

Recommendations

protect the phpinfo() command
add a password to run the phpinfo() function

Example

<?php

function updatePhpIni($prependFile)
{
    // Locate the php.ini file
    $phpIniFile = php_ini_loaded_file();
    if (!$phpIniFile) {
        throw new Exception("Unable to locate php.ini file.");
    }

    // Read the php.ini file
    $iniContent = file_get_contents($phpIniFile);
    if ($iniContent === false) {
        throw new Exception("Unable to read php.ini file.");
    }

    // Check if auto_prepend_file is already set
    $autoPrependPattern = '/^auto_prepend_file\s*=\s*.*$/m';
    if (preg_match($autoPrependPattern, $iniContent)) {
        // Update the existing directive
        $iniContent = preg_replace($autoPrependPattern, "auto_prepend_file = \"$prependFile\"", $iniContent);
    } else {
        // Add the directive
        $iniContent .= PHP_EOL . "auto_prepend_file = \"$prependFile\"" . PHP_EOL;
    }

    // Write the updated content back to the php.ini file
    if (file_put_contents($phpIniFile, $iniContent) === false) {
        throw new Exception("Unable to write to php.ini file.");
    }

    echo "Updated php.ini successfully.\n";
}

try {
    $prependFile = __DIR__ . '/../bootstrap.php';
    updatePhpIni($prependFile);
} catch (Exception $e) {
    echo "Error: " . $e->getMessage() . "\n";
    exit(1);
}

Details

PhpInfoGuard

PhpInfoGuard is an innovative PHP package designed to enhance security by globally protecting the phpinfo() command. This package ensures that the phpinfo() function can only be executed under controlled conditions, preventing unauthorized access to sensitive PHP configuration details. Ideal for developers and system administrators looking to secure their PHP environments, PhpInfoGuard provides a simple yet powerful solution to a common security concern.

Installation

To install PhpInfoGuard, use Composer:

composer require jumbaeric/phpinfoguard

Upon installation, the package will automatically update your php.ini file to include the necessary auto_prepend_file directive, streamlining the setup process.

Features

  • Global Protection: Secures the phpinfo() command globally across all PHP scripts and command-line executions.
  • Easy Configuration: Simple configuration settings allow you to enable or disable the phpinfo() function as needed.
  • Automated Setup: Automatically configures the auto_prepend_file directive in php.ini for hassle-free integration.
  • Lightweight and Efficient: Minimal performance overhead while providing robust security.

Configuration

Set the initial state of the phpinfo() function in the config/phpinfo_guard.php file:

return [
    'enabled' => false,
];

Usage

To control the execution of the phpinfo() function, use the following commands:

use PhpInfoGuard\PhpInfoGuard;

PhpInfoGuard::enable(); // Enables phpinfo() execution
PhpInfoGuard::guardedPhpInfo(); // Executes phpinfo() if enabled

PhpInfoGuard::disable(); // Disables phpinfo() execution
PhpInfoGuard::guardedPhpInfo(); // Outputs "phpinfo() is disabled."

Security Benefits

  • Prevent Unauthorized Access: Restrict access to PHP configuration details, reducing the risk of exposure to sensitive information.
  • Mitigate Security Risks: Protect against potential attacks that exploit the phpinfo() function to gather server information.

Keywords and Tags

  • PHP Security
  • Protect phpinfo()
  • Secure PHP Configuration
  • PHP Guard
  • PHP Info Protection
  • PHP Security Package
  • Automated PHP Security
  • PHP Environment Security
  • Global PHP Security

Conclusion

PhpInfoGuard is an essential tool for any PHP developer or system administrator focused on enhancing the security of their PHP environment. By providing robust protection for the phpinfo() function, this package helps safeguard against unauthorized access and potential security threats. Install PhpInfoGuard today to secure your PHP configurations effectively.


  Files folder image Files  
File Role Description
Files folder imageconfig (1 file)
Files folder imageexamples (1 file)
Files folder imagescripts (1 file)
Files folder imagesrc (1 file)
Files folder imagetests (1 file)
Accessible without login Plain text file bootstrap.php Aux. Auxiliary script
Accessible without login Plain text file composer.json Data Auxiliary data
Accessible without login Plain text file README.md Doc. Documentation

  Files folder image Files  /  config  
File Role Description
  Accessible without login Plain text file phpinfo_guard.php Aux. Auxiliary script

  Files folder image Files  /  examples  
File Role Description
  Accessible without login Plain text file example.php Aux. Auxiliary script

  Files folder image Files  /  scripts  
File Role Description
  Accessible without login Plain text file update_php_ini.php Example Example script

  Files folder image Files  /  src  
File Role Description
  Plain text file PhpInfoGuard.php Class Class source

  Files folder image Files  /  tests  
File Role Description
  Plain text file PhpInfoGuardTest.php Class Class source

Downloadphpinfoguard-2024-05-31.zip 3KB
Downloadphpinfoguard-2024-05-31.tar.gz 2KB
Install with ComposerInstall with Composer
 Version Control Unique User Downloads Download Rankings  
 100%
Total:21
This week:21
All time:11,202
This week:3Up

  Applications that use this package  
No pages of applications that use this class were specified.

Add link image If you know an application of this package, send a message to the author to add a link here.