|
|
Posted by C. on 09/24/07 20:42
On 24 Sep, 21:36, KDawg44 <KDaw...@gmail.com> wrote:
> Hello,
>
> I recently took over a site for a client and the original developer
> has a phpinfo.php page. I can see how this is interesting during
> development on a dev site, but it seems like giving a lot of
> information to the world to have it on the live site.
>
> My question, am I overreacting or is this as dumb a move as I feel it
> is?
>
> Thanks.
AIR phpinfo() allows javascript injection which means someone could
abuse the link to steal cookies and hijack a session.
The information it exposes is only really a problem if there are known
(to the attacker, at least) issues in the version of software you are
using, but IME most attackers don't bother looking first before
throwing all their attacks at your box.
HTH
C.
Navigation:
[Reply to this message]
|