Leakage of sensitive information with 'phpinfo' function
- Rule ID: php_lang_phpinfo
- Languages: php
- Source: phpinfo.yml
Description
The use of the 'phpinfo()' function can lead to the leakage of sensitive information. This function outputs a large amount of information about the current state of PHP, including environment variables, server information, and PHP configuration settings, which could be exploited by unauthorized individuals.
Remediations
- Do not use the 'phpinfo()' function in production environments or publicly accessible areas of your application. This function can inadvertently expose critical information that could aid an attacker.
phpinfo(); // unsafe in production - Do regularly review your codebase to ensure that calls to 'phpinfo()' are removed before deploying to production. Consider using environment-specific configuration to automatically exclude such calls in production environments.
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=php_lang_phpinfoTo run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=php_lang_phpinfo