php.lang.security.phpinfo-use.phpinfo-use

semgrep

Author

4,191

Download Count*

LGPL Commons Clause

License

The 'phpinfo' function may reveal sensitive information about your environment.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: phpinfo-use
    pattern: phpinfo(...);
    message: The 'phpinfo' function may reveal sensitive information about your
      environment.
    metadata:
      cwe:
        - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
      references:
        - https://www.php.net/manual/en/function.phpinfo
        - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php
      category: security
      technology:
        - php
      owasp:
        - A01:2021 - Broken Access Control
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - php
    severity: ERROR

Examples

phpinfo-use.php

<?php

// ruleid: phpinfo-use
echo phpinfo();

Short Link: https://sg.run/W82E