Monday 11 August 2008

Secure your phpinfo from the bad people

I use the phpinfo() function a great deal, for basic information to advanced server administration checking, so I like to have it running on all my hosts.

Unfortunately this is a great hole in my security, as this information is a gold mine for the hackers out there.

I could simply remove the file when I am finished, or obfuscate the filename to make it difficult to find. But both of these would rather destroy the ease and simplicity I am looking for.

So, I decided to sort this out today.

The solution I am using is simple. Basic HTTP Auth.

Just enough to deter any would be hackers, as no-one can see how complicated my security is behind this shield. And, this should work on all PHP servers.

Here is the code.

[cc lang="php" tab_size="2" lines="40"]
function authenticate($uid,$pw) {
if (
!isset($_SERVER['PHP_AUTH_USER']) ||
!isset($_SERVER['PHP_AUTH_PW']) ||
$_SERVER['PHP_AUTH_USER'] != $uid ||
$_SERVER['PHP_AUTH_PW'] != $pw
){
header('WWW-Authenticate: Basic realm="Security Check"');
header('HTTP/1.0 401 Unauthorized');
echo "You must enter a valid login ID and password to access this resource\n";
exit;
}
if($pw == "password"){
echo "You must change the 'password' before you can have access to this...";
exit;
}
}
authenticate("admin","password");
phpinfo();
[/cc]

And a zipped version.

If you have a standard file with phpinfo() in it...
I highly suggest you start using this.

No comments:

Post a Comment