phpinfo exposes email address 1

[OsakaWebbie]

I just noticed that if PHP is installed as a module of Apache 2, the "apache2handler" section of phpinfo() contains the "server administrator" email address as plain text. Is there a way to get that to not show - some setting in the call to phpinfo() or something? I don't want to expose my address to spammers, but I would like to leave a file with phpinfo() on my server as a convenience to me, if possible.

 

[feherke]

Hi

the "apache2handler" section of phpinfo() contains the "server administrator" email address as plain text.

Note that it also appears in the Apache Environment and the PHP Variables sections.

Is there a way to get that to not show

The only way I know is to not set it. See the [tt]ServerAdmin[/tt] directive in your [tt]httpd[/tt] configuration.

I would like to leave a file with phpinfo() on my server as a convenience to me

If is only for you, then protect it with password.


Feherke.

http://free.rootshell.be/~feherke/

 

[DonQuichote]

OR, if you have shell access (meaning that you can fire up a command line) to that server, type "php -i" on the command line. If it is a Windows server, you may have to give the full path to php.exe or php-cli.exe.

There is far too much info in php_info that it is more a convenience to hackers than to you.


+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[OsakaWebbie]

Note that it also appears in the Apache Environment and the PHP Variables sections.

True - I see that. But apparently it's still only when it's a module of Apache version 2 - I have accounts on several hosters with different configurations (PHP as CGI, module of Apache 1.something), but only the hoster with Server API="Apache 2.0 Handler" has my email address showing anywhere.

It's a shared hoster, so I don't think I would have any access to the httpd configuration, and although I wish I had shell access (SSH), that's not part of the plan I'm paying for.

I guess I'll have to write some PHP code around it to password protect it - I knew that was a possibility, but I thought it was worth asking first if there was an easier way. Plus, DonQuichote's point is well taken about other information, so if I get some code working, perhaps I'll include it on all my accounts, not just the Apache2 one.

 

[feherke]

Hi

I guess I'll have to write some PHP code around it to password protect it

Actually I was thinking to HTTP authentication.

Feherke.

http://free.rootshell.be/~feherke/

 

[jpadie]

ob_start();
phpinfo();
$c = ob_get_contents();
ob_end_clean();
$pattern = '§<td class="e">sendmail_from</td><td class="v"><i>.*?</i></td><td class="v"><i>.*?</i></td></tr>§s';
$replace = '<td class="e">sendmail_from</td><td class="v"><i>hidden value</i></td><td class="v"><i>hidden value</i></td></tr>';
$_c = preg_replace ($pattern, $replace, $c);
echo $_c;

or

ini_set('sendmail_from', 'hidden value');
phpinfo();

 

[OsakaWebbie]

Nice ideas - I had never heard about output buffering before, but I can imagine a variety of uses. But it took me a while to get something that actually worked at all.

My first choice would be to use ini_set. But the variable I need to deal with is not sendmail_from - in my case that's not set. It's apache2handler -> Server Administrator, Apache Environment -> SERVER_ADMIN, and PHP Variables -> _SERVER["SERVER_ADMIN"]. I have no idea what those equate to in something one could set using ini_set, but I couldn't find anything similar in the documentation - even as little as the string "adm" doesn't appear in

http://www.php.net/manual/en/ini.list.php.

So then I tried the other code, but since my address is showing up in three places, I used only the value part and included my literal email address. Then preg_replace was giving me a mysterious error (it complained about a "t", but I suspected that the "@" was actually the problem - I don't know), so I simplified to str_replace since I wasn't doing any regexp anyway. That didn't seem to replace anything, so I checked the source code carefully and found that everything has a space after it. But adding the space didn't help, so I ended up removing the markup altogether:

echo str_replace ($email, "(hidden)", $inbuffer); //$email is set earlier

That works, and I give you a star for the ideas, but I would still prefer not to need the literal address (the ini_set nethod or something using preg_replace that actually works), so that it's more portable and doesn't stop working if the server admin email gets changed someday.

 

[jpadie]

i suspect that it is not php that is giving you problems but apache instead. php is just inheriting apache's data.

don't know whether this will work but you could try this

ini_set('sendmail_from', 'hidden value');
$_SERVER = $_ENV = array();

or you can try this (which is probably a much better idea ...)

ini_set('sendmail_from', 'hidden value');
phpinfo(INFO_GENERAL & INFO_CONFIGURATION);

you can change the flags of course but i was trying to exclude the modules information (as apache2handler will expose the email address) and the environmental and other global vars.

 

[jpadie]

you can always, of course, unset your email address in your httpd.conf file (or the equivalent for your virtual host).

and, also (of course) you could apply an unset() to the variables in questions before the phpinfo(). Which is just a more granular variation on unsetting the $_SERVER and $_ENV superglobals.

 

[OsakaWebbie]

As far as I know I don't have access to the httpd.conf file - isn't that a server-wide thing?

...you could apply an unset() to the variables in question...

My problem is that I don't know the name of the variable(s) in question. Like I said, I tried looking through the list of initialization variables that ini_set has access to, but nothing resembling the terms "Server Administrator" or "SERVER_ADMIN" were in the list. I don't actually know what that setting is or what it does. If you have more specific clues, I'm all ears.

 

[OsakaWebbie]

Oops, I didn't notice that you had posted twice. Regarding the earlier post, you keep using "sendmail_from" in your examples. I didn't have any problem using ini_set to change "sendmail_from" - PHP cooperated just fine. The problem is that that is not the variable that needs changing, so all that would happen is that sendmail_from would get changed from "no value" to "hidden" and the variables that actually have my email address would be unaffected.

 

[jpadie]

yes. but see also the qualifying that i added to phpinfo().

the ini_set is necessary to change the default php.ini value. the qualifications avoid the display of module specific and environmental data. give it a whirl.

 

[OsakaWebbie]

When I try that code, nothing is displayed at all. I don't understand what INFO_GENERAL and INFO_CONFIGURATION do, but I just copied the code verbatim, saved, and tried it - I get a blank page.

 

[feherke]

Hi

That was a typo. jpadie intended to use [tt]|[/tt] :

[COLOR=darkgoldenrod]phpinfo[/color][teal]([/teal]INFO_GENERAL [highlight][teal]|[/teal][/highlight] INFO_CONFIGURATION[teal]);[/teal]

I not suggested that, because I find useless what remains from the [tt]phpinfo()[/tt] output after filtering out some sections entirely.

Feherke.

http://free.rootshell.be/~feherke/

 

[jpadie]

not a typo but a mind-blip. it was supposed to be a bitwise OR, not a bitwise AND. So feherke is right, of course, it should have been a [red]|[/red]

 

[OsakaWebbie]

Yup, that shows something now, but just the first two sections. feherke is right - that's not enough for my needs.

 

[jpadie]

add those sections that you want. what sections do you need?
or perhaps put a trivial password protect on the file

session_name('myphpInfo');
session_start();
if ($_SESSION['login']) :
  phpinfo();
elseif (!empty($_POST['passphrase'])):
  if ($_POST['passphrase'] === 'my passphrase'):
     phpinfo();
  else:
     showlogin();
  endif;
else:
  showlogin();
endif;
exit;
function showlogin(){
echo <<<HTML
<form method="post" action="{$_SERVER['PHP_SELF']}" >
Passphrase: <input type="text" name="passphrase" value="" /><br/>
<input type="submit" name="submit" value="log in" />
</form>
HTML;
}

 

[OsakaWebbie]

what sections do you need?

I have no idea what I need until I need it...

I had originally acquiesced to the need to password protect it (see the earliest posts), but I was going to use the same login code as an application that I am often working on when I need to see phpinfo, so that some of the time I won't need to log on twice. Then you came up with possible ideas of how to do it without authentication, so we were exploring those options. I thought ini_set held promise, but I never figured out what the configuration item for Server Admin was called in those terms. And mysteriously, I couldn't get regexp to work to find a value cell with a generic email address (in fact, any time I included markup in my search, it failed). I didn't know there would be this many obstacles to what seems like a simple thing.

If I don't care about portability, the OB and str_replace method is pretty clean, but apparently if I want a portable solution that shows all the sections, then I guess I come full circle back to authentication. I'm surprised that the the programmers of phpinfo() didn't include an option to obfuscate email addresses or something - that was originally what I thought I was asking about.

 

[DonQuichote]

I don't think the programmers thought that php_info would be shown to the public at all. So there is little point in obfuscating it. I think php_info is meant to be used on a (safe internal) development or test server, or put behind a password. Even if you obfuscate the password, all the other info is just too useful for hackers to display.

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[jpadie]

my take is that DQ is right. phpinfo should not be exposed.