Remove phpinfo()

  • Resolved bhavini06

    (@bhavini06)


    9 months, 3 weeks ago

    Using phpinfo() can expose the entire server configuration to my users, including every environment variable.

    How do I fix it?

    Remove any usage of phpinfo from my codebase or from Wordfence settings? And If I removed from codebase then site will break?

    Subissues

    wp-content/plugins/wordfence/lib/menu_tools_diagnostic.php

    Critical

    Line 763 in menu_tools_diagnostic.php

    <?php if (wfUtils::funcEnabled('phpinfo')) { phpinfo(); } else { echo '<strong>' . esc_html__('Unable to output phpinfo content because it is disabled', 'wordfence') . "</strong>\n"; } ?>

    wp-content/plugins/wordfence/lib/sysinfo.php

    Line 11 in sysinfo.php

    if (wfUtils::funcEnabled('phpinfo')) { phpinfo(INFO_ALL); } else { echo '<center><strong>' . esc_html__('Unable to output phpinfo content because it is disabled', 'wordfence') . "</strong></center>\n"; }

    wp-content/plugins/wordfence/lib/wordfenceClass.php

    Line 4019 in wordfenceClass.php

    if (wfUtils::funcEnabled('phpinfo')) { phpinfo(); } else { echo "\n\n" . __('Unable to output phpinfo content because it is disabled', 'wordfence') . "\n\n"; }

    wp-content/plugins/wordfence/views/diagnostics/text.php

    Line 556 in text.php

    if (wfUtils::funcEnabled('phpinfo')) { phpinfo(); } else { echo "\n\n" . __('Unable to output phpinfo content because it is disabled', 'wordfence') . "\n\n"; }
Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    9 months, 3 weeks ago

    Hi @bhavini06,

    Bear in mind that a full phpinfo() shouldn’t ever have a reason to be included in a regular public-facing page, but those Wordfence functions will only trigger for a logged in admin who chooses to view or send diagnostics for troubleshooting purposes from the plugin. There’s no way for regular visitors to your site to execute this code, so naturally protecting your admin accounts with complex passwords and 2 factor authentication is always good practice.

    You can actually use the disable_functions in your server’s php.ini file to specify phpinfo if you’re concerned. In that case, the server returns Warning: phpinfo() has been disabled for security reasons. As that’s just a warning and not a fatal error, it shouldn’t prevent Wordfence or anything else that uses it from functioning correctly. Your host can help you with that if you’re unsure how to do it.

    Thanks,
    Peter.

Viewing 1 replies (of 1 total)

The topic ‘Remove phpinfo()’ is closed to new replies.