Sensitive Server Info Disclosure via Public phpinfo()

🧠 Introduction: Sometimes the biggest risks come from the smallest oversights. During a passive reconnaissance session, I encountered an exposed phpinfo() page on a production server owned by a well-known company. This misconfiguration leaked a wide range of sensitive server data — including environment variables, file paths, and PHP modules — and could have assisted attackers in crafting targeted exploits.

🕵️‍♂️ Discovery:

While performing recon across multiple public assets tied to a known electronics company, I identified a domain with a /test/ directory exposed.

Using basic directory brute-forcing and manual inspection, I found the following endpoint:

https://<redacted>/test/phpinfo.php

This page returned the full output of the phpinfo() function, including:

• PHP version (e.g. 8.x.x)
• Loaded extensions
• Server IP, hostname, and OS
• Full server-side file paths (DOCUMENT_ROOT, SCRIPT_FILENAME)
• Environment variables (often including session paths, configs, etc.)

This was clearly a forgotten debug/testing page accidentally deployed to production.

🔥 Why It Matters

To the untrained eye, phpinfo() might just look like a diagnostic page. But in an attacker’s hands, it’s pure gold:

• Recon Goldmine — Knowing the exact PHP version, web server, and file structure helps tailor exploits
• Environment Info — Server variables may reveal sensitive paths or misconfigurations
• Attack Surface — Leaked module data (e.g., presence of curl, soap, openssl, etc.) can guide SSRF, RCE, or deserialization attacks

This type of exposure is especially dangerous if combined with LFI or file upload bugs, where path knowledge is critical.

✅ Fixes & Recommendations

What went wrong:

• A leftover phpinfo() page was pushed to production
• No WAF or access control prevented public access

What to do instead:

• Never deploy debug tools or test scripts to production
• Automate scanning for sensitive files (phpinfo.php, .git/, test.php, etc.)
• Use .htaccess or firewall rules to block access to dev endpoints

🙌 Final Thoughts

Even a simple phpinfo() page can become a serious vulnerability if left exposed on the internet. Always audit your web assets — even the non-obvious ones.Small misconfigs often lead to big risks. Stay sharp, stay ethical, and keep hunting.