PHP Classes

protect the phpinfo() command: add a password to run the phpinfo() function

Recommend this page to a friend!
  All requests RSS feed  >  protect the phpinfo() command  >  Request new recommendation  >  A request is featured when there is no good recommended package on the site when it is posted. Featured requests  >  No recommendations No recommendations  

protect the phpinfo() command

A request is featured when there is no good recommended package on the site when it is posted. Edit

Picture of Elton Gomez by Elton Gomez - 2 months ago (2024-05-10)

add a password to run the phpinfo() function

This request is clear and relevant.
This request is not clear or is not relevant.

+1

If during the demonstration of an application deployed on the Internet I need to query the value of a phpinfo() parameter, phpinfo() is required to run if and only if a challenge or password is correctly answered. I am looking for a piece of PHP code that will help me resolve this query, and if possible include challenge or password maintenance functions.

  • 1 Clarification request
  • 1. Picture of Cedric Maenetja by Cedric Maenetja - 2 months ago (2024-05-15) Reply

    Here's a sample code, Define the list of known configuration-related functions Check if function is_configuration_function before calling the actual function Prompt & Validate password (in the example below I using the command line to prompt for the password) Proceed if password is correct

    <?php

    function is_configuration_function($function_name) {
        // Define the list of known configuration-related functions
        $config_functions = [
            'phpinfo',
            'phpversion',
            'ini_get',
            'ini_set',
            'get_cfg_var',
            'get_loaded_extensions',
            'get_defined_constants',
            'extension_loaded',
            // Add more configuration-related functions as needed
        ];
    

        // Check if the function is in the list and exists
        return in_array($function_name, $config_functions) && function_exists($function_name);
    }
    

    $stored_password = '12345'; // the stored password, better encypt the passwords
    $input_password = '';
    $function_name = 'phpversion';
    

    // check if function is_configuration_function before calling the actual function
    if (is_configuration_function($function_name)) {
        // function is_configuration_function
        // prompt a user for a password
        $input_password = readline('Enter a configuration password: ');
        // while password is incorrect keep promting for the password
        // you can also add logic here to exit or stop execution after certain tries
        while ($input_password != $stored_password){
            $input_password = readline('Enter a configuration password: ');
        }
    

        // password correct proceed and call the function
        eval("echo $function_name();");
    

    } else {
        // $function_name is not a configuration function";
        // no need for password prompt call the function 
        eval("echo $function_name();");
    }
    

    ?>

    Ask clarification

    2 Recommendations

    Protected PHPInfo: Show PHPInfo function output on a protected page

    This recommendation solves the problem.
    This recommendation does not solve the problem.

    0

    Picture of Faris AL-Otabi by Faris AL-Otabi package author package author Reputation 50 - 1 month ago (2024-06-13) Comment

    This package can show PHPInfo function output on a protected page.

    It provides a Web page script that presents a form to ask the user for a username and password.

    The same script can check if the username and password match the credentials stored in a password file in the JSON format.

    If the username and password are valid, the script shows the output of the PHP phpinfo function.


    PHPInfo Guard: Protected replacement for the phpinfo() function

    This recommendation solves the problem.
    This recommendation does not solve the problem.

    0

    Picture of Eric Jumba by Eric Jumba package author package author Reputation 75 - 1 month ago (2024-05-31) Comment

    PhpInfoGuard is a PHP package designed to enhance security by globally protecting the phpinfo() command. This package ensures that the phpinfo() function can only be executed under controlled conditions, preventing unauthorized access to sensitive PHP configuration details. Ideal for developers and system administrators looking to secure their PHP environments, PhpInfoGuard provides a simple yet powerful solution to a common security concern.


    Recommend package
    : 
    :