Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Can I remove phpinfo.php?


rocaholic

Recommended Posts

Hi everyone, I'm using a quarterly PCI compliance scan by securitymetrics(dot)com

 

 

I have to risks rated as 5, but they have the same error.

 

"Synopsis : The remote web server contains a PHP script that is prone to an information disclosure attack. Description : Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' for debugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remote attacker can discover a large amount of information about the remote web server, including : - The username of the user who installed php and if they are a SUDO user. - The IP address of the host. - The version of the operating system. - The web server version. - The root directory of the web server. - Configuration information about the remote PHP installation. Solution: Remove the affected file(s). Risk Factor: Medium"

 

I found a file named phpinfo.php in my public_html folder and it's contact is only:

<?php phpinfo(); ?>

 

Is it safe to delete this so I can pass my scan?

 

And another thing, I hired a few freelancers to help me set up the site as I know nothing about programming. I understand that PCI compliance is a rough area but wanted to see your input on how customers process my orders.

 

I use inmotionhosting business hosting. My site uses GoDaddy SSL and for my payments, I use the Authorize.net AIM module, I believe. Customers add items, checkout, fill out all the CC information on my site. Money has been going into my bank account. I was wondering if this is safe because I don't see full credit card numbers, except the last 4 (XXXXXXXXXXXX1111) and the expiration date, and I think the billing address as well.

 

Thank you!!!

Link to comment
Share on other sites

That "phpinfo.php" file was not put there by osCommerce. Either you had a developer/installer (your "freelancer") who was very sloppy about security and failed to name it something obscure and remove it when done, or a hacker left it there. Possibly your freelancer deliberately left it in there as a future hack enabler. Any way is not good, and it should be removed (or at least, the name changed to something unguessable).

 

What does this have to do with E-commerce Laws? It belongs in Security under the appropriate product.

Link to comment
Share on other sites

What does this have to do with E-commerce Laws? It belongs in Security under the appropriate product.

 

 

"Is it safe to delete this so I can pass my scan?

 

And another thing, I hired a few freelancers to help me set up the site as I know nothing about programming. I understand that PCI compliance is a rough area but wanted to see your input on how customers process my orders.

 

I use inmotionhosting business hosting. My site uses GoDaddy SSL and for my payments, I use the Authorize.net AIM module, I believe. Customers add items, checkout, fill out all the CC information on my site. Money has been going into my bank account. I was wondering if this is safe because I don't see full credit card numbers, except the last 4 (XXXXXXXXXXXX1111) and the expiration date, and I think the billing address as well.

 

Thank you!!! "

 

Because I was wondering if this is "PCI-DSS" compliant. Thank you both for your responses.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...