The phpinfo() function outputs a large amount of information about the current state of PHP. This includes information about PHP compilation options and extensions, the PHP version, server information and environment (if compiled as a module), the PHP environment, OS version information, paths, master and local values of configuration options and request variables, HTTP headers, and the PHP License. Because phpinfo() leaks a lot of information to the viewer it is not recommended to leave a script executing phpinfo() on a production server. However in reality phpinfo() scripts are left open on a lot of servers. While this is already bad enough, there is also a problem when request variables of a certain form are displayed. With a properly crafted URL, that contains a stacked array assignment it is f.e. possible to inject HTML code into the output of phpinfo(), which could result in the leakage of domain cookies (f.e. session identifiers). Reproducible: Always Steps to Reproduce: 1. 2. 3.
Regrouping issues... *** This bug has been marked as a duplicate of 111032 ***