[thelist] is this usual

gabriel rivera evolt at protocol0.com
Fri Feb 28 15:33:37 CST 2003

> http://uptime.netcraft.com/up/graph?site=http%3A//morgankelsey.com/
> Yes, your point about file structure is very true, but the other info is,
> well, you can see it above. :)

To clarify, this info is in the http header for all to see.  (OS/web server
software, etc).

Security through obscurity is no security at all.  Skript kiddies and their
ilk have no trouble determining this info, and there's far more robust tools
than netcraft in the wild for gathering this information.

The big red flag with outputting all this environment info, via phpinfo(),
looping through Request.ServerVariables, etc, is that the information
provided is far more sensitive that what's available in the header.

Also, there's nothing more embarrassing than google caching the output of
phpinfo(), or a bad database query that writes the db connection info out to
the client.


I think the best practice is to deploy these sort of testing scripts behind
some sort of authentication layer only.


More information about the thelist mailing list