Is it possible to obfuscate or remove environment variables from phpinfo?
If not, is the only alternative to display the phpinfo function?
Thinking about it further, someone could easily print_r($_SERVER) and get the credentials as well. What would be a solution to this?
clarification This is in regards to Apache Environment Variables.
The Suhosin patch does this:
Ignores GET, POST, COOKIE variables with the following names: GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST _SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS
other than that, I am not aware of a way to cleanly hide those variables.
That said, it shouldn't be really necessary in the first place - external visitors shouldn't be able to run phpinfo()
, or dump arbitrary variables.