I was told that phpinfo contains sensitive data so you should delete it in production environment. But this afternoon I took a good look at it and found nothing interesting. So here's my question. What on earth is sensitive? How's an attacker gonna use such information? Or what will s/he know from the config page?
SnapOverflow
In general the security concern is that the more information your infrastructure and applications "give away" (by disclosing product names, versions and capabilities) the less work an adversary has to do to gather information and the easier it becomes for them to quickly target specific (known) vulnerabilities.
That makes it best practice in production environments to among many others suppress version numbers, disable debug code/options (like
phpinfo()) , suppress error messages and more...An example.
If your
phpinfopage reveals that you are using Windows Server 2008 and PHP 5.6, with certain PHP modules, then the attackers can easily take control of your server because,The lesser information you reveal to the outside world, the more difficult for the attackers to exploit.
You'd better hire a security consultant and learn more.
Every bit of information leaked out about your server could potentially be problematic. Even the apache banner the leaks out if you dont disable it in the httpd.conf could lead to a compromise. Go to exploit-db.com and look at, for example, all the vulnerabilities against Apache. Note that most affect specific versions. So now with phpinfo exposing that info its simple for a script kiddie to automatically attack your system. Which even if its patched can still cause problems, at least traffic disruptions. Whereas if they dont have a version then they won't generally run anything. Many apache mods have had issues in the past - another thing phpinfo exposes. Certain local exploits run on certain kernels - phpinfo again...
It also shows what db you are using - so immediately an attacker knows which commands to try to use to conduct sql injection attacks. And certain versions are vulnerable to specific exploits.
You also can guess from phpinfo such info as user names, the format of user names, the directory structure...some attacks you need to know the directory structure, like PUT attacks, where usually the attacker has to make an educated guess, but phpinfo puts that info out there.
Even such info as the server administrator who you can then google and maybe find their security issues on StackExchange...
Basically, phpinfo is a big fat menu for any potentional attacker out there. Cover that **** up. And while you are at it, hide your banner versions unless you need that info for some reason.