The Joy of PCI Compliance - PHP Info File Is Public

Discussion in 'Troubleshooting' started by nytix2, May 30, 2017.

  1. nytix2

    nytix2 aMember Pro Customer

    Joined:
    Jul 28, 2003
    Messages:
    41
    Going through PCI compliance now, so a few things that will affect amember including this one:

    PHP Info File Can Be Seen Publically:
    A file such as info.php or phpinfo.php was found on this webserver. These files typically reveal detailed information about your server's configurations and build. This information could be valuable to an attacker developing an attack on your network. Remove this file if it is not needed; otherwise, consider placing access controls on this file so that only authorized users can view it.

    Save to rename this file? Which config file do I need to change to make amember still be able to use it?
  2. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    2,295
    Hello,

    What is full path to these files? aMember has not such files actually.

    Best Regards.
  3. nytix2

    nytix2 aMember Pro Customer

    Joined:
    Jul 28, 2003
    Messages:
    41
    Yes, amember does not have this file, but I understand that it still uses this system file when you select the amember menu - utilities/system info. If this system file no longer exists or is renamed, then amember will get an error if you select that menu, not sure of what other impacts this will have on amember operation. This change is not my first choice to make, but this change is required for PCI compliance - to get rid of it because it gives hackers way too much information about the setup of your web server in one public place, making it easier to spot vulnerabilities. The other choice is to lock the file down with some permissions, but that will have an adverse affect too on amember, as it may not be able to read it.
    Last edited: Jun 1, 2017
  4. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    2,295
    aMember does not use these files. In event of you do not need this file then you can remove it.

    It does not have any impact it aMember.

    Best Regards.

Share This Page