PortSwigger Academy - Information Disclosure on Debug Page

Lab Overview

Debugging tools and scripts can be invaluable during development, but when left exposed in production, they often become a treasure trove for attackers. In this case, we explore how a publicly accessible debug page (phpinfo.php) inadvertently disclosed sensitive environment variables, including the application’s SECRET_KEY. Let’s walk through the steps taken to identify and exploit this vulnerability, understand its risks, and discuss how to mitigate it.

---

Initial Discovery

While inspecting the source code of the homepage, a commented-out anchor tag pointing to a phpinfo.php script was discovered:

<a href="/cgi-bin/phpinfo.php">

Although this link wasn’t visible on the rendered page, it was easily found in the source code. Clicking on the link led to a debug page that runs the phpinfo() function, which provides a wealth of information about the server’s PHP configuration.

---

Exploring the phpinfo.php Debug Page

Navigating to /cgi-bin/phpinfo.php, the page displayed detailed information about the server’s PHP environment, including:

• PHP version
• Loaded modules
• Server configuration
• Environment variables

Using the browser’s search functionality, we searched for the keyword SECRET_KEY and found the following environment variable exposed:

This environment variable could potentially be used for signing cookies, encrypting sensitive data, or other critical application functions. With this information, we completed the lab by submitting the SECRET_KEY value.

---

Why It's Vulnerable

1. Sensitive Information Disclosure

The phpinfo() function dumps detailed server information, including:

• Environment Variables: These often contain sensitive data like API keys, database credentials, or application secrets.
• Server Configuration: Information about PHP versions, installed modules, and file paths helps attackers identify potential attack vectors.
• Debugging Data: Includes internal paths and other technical details that can assist in crafting exploits.

2. Commented-Out Code Is Still Exposed

The link to /cgi-bin/phpinfo.php was commented out in the HTML, but it remained discoverable in the source code. Commenting out sensitive functionality is a poor practice because attackers routinely inspect page sources or use automated tools to find these hidden clues.

3. Publicly Accessible cgi-bin Directory

The cgi-bin directory is a common target for penetration testers and attackers because it often contains old, leftover, or misconfigured scripts. When publicly accessible, it provides an easy entry point into sensitive server functionality.

---

The Impact

Exposing a debug page like phpinfo.php can have far-reaching consequences:

1. Compromise of Sensitive Data
   Attackers can retrieve environment variables like the SECRET_KEY in this scenario, which might be used for:
   • Signing or verifying authentication tokens.
   • Encrypting or decrypting sensitive data.
   • Accessing APIs or other backend systems.
2. Facilitation of Further Attacks
   Details about PHP versions, installed modules, and server configurations allow attackers to:
   • Identify known vulnerabilities in the software stack.
   • Tailor their exploits to the server’s specific setup.
3. Loss of Control and Trust
   Once sensitive data like the SECRET_KEY environment variable is compromised, attackers can impersonate users, tamper with application data, or escalate their access, leading to significant reputational and financial damages.

---