Skip to content

Security: Potential Information Disclosure via phpinfo() Endpoint#1003

Closed
tomaioo wants to merge 1 commit into
nextcloud:masterfrom
tomaioo:fix/security/potential-information-disclosure-via-php
Closed

Security: Potential Information Disclosure via phpinfo() Endpoint#1003
tomaioo wants to merge 1 commit into
nextcloud:masterfrom
tomaioo:fix/security/potential-information-disclosure-via-php

Conversation

@tomaioo

@tomaioo tomaioo commented May 25, 2026

Copy link
Copy Markdown

Summary

Security: Potential Information Disclosure via phpinfo() Endpoint

Problem

Severity: Medium | File: lib/Controller/PageController.php:L47

The PageController exposes a phpinfo() endpoint that renders PHP configuration details when enabled via app config. While protected by a config flag, if enabled, phpinfo(INFO_ALL & ~INFO_ENVIRONMENT & ~INFO_VARIABLES) still exposes extensive server information including loaded extensions, compilation options, and server paths. This could aid attackers in reconnaissance. The PhpInfoResponse class sets ContentSecurityPolicy and FeaturePolicy but the raw phpinfo output still contains sensitive data.

Solution

Consider removing or heavily restricting this endpoint. If needed for debugging, require admin authentication and log access. Evaluate if the INFO_MODULES flag might still expose sensitive extension versions.

Changes

  • lib/Controller/PageController.php (modified)

@tomaioo
fix(security): potential information disclosure via phpinfo() end
52f482f 
The PageController exposes a phpinfo() endpoint that renders PHP configuration details when enabled via app config. While protected by a config flag, if enabled, phpinfo(INFO_ALL & ~INFO_ENVIRONMENT & ~INFO_VARIABLES) still exposes extensive server information including loaded extensions, compilation options, and server paths. This could aid attackers in reconnaissance. The PhpInfoResponse class sets ContentSecurityPolicy and FeaturePolicy but the raw phpinfo output still contains sensitive data.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@kesselb

kesselb commented Jun 1, 2026

Copy link
Copy Markdown
Collaborator

Thanks for your pull request 👍

require admin authentication

The endpoint is only accessible to administrators already.
Controllers are by default admin-only.

@kesselb kesselb closed this Jun 1, 2026
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benjaminfrueh benjaminfrueh Awaiting requested review from benjaminfrueh benjaminfrueh is a code owner

@kesselb kesselb Awaiting requested review from kesselb kesselb is a code owner

Assignees

No one assigned

Labels

feedback-requested

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tomaioo @kesselb