Php exposes root password in clear text

chirpa wrote:
First, I recommend admin and root have separate passwords.

That would be the best approach.

chirpa wrote:
As long as you have PHP files under a http/https path that requires auth, those values will likely be available to be read. If you use the HTTP setting for a read-only share to serve pages, it should not show up; if it does, scary indeed.

Also, the output of phpinfo(); should never be exposed to users. It is and always was intended as a debugging help for PHP developers. The same is true for the $_SERVER variables which normally are only used internally and shouldn't get echoed to the user in a normal application.

chirpa wrote:
There may be a php.ini setting to exclude those somehow also.

Not that I would know. As it is, the behavior described is actually the way it is intended by PHP and as with other programming languages, internal variables aren't meant to be exposed. For the PHP_AUTH stuff: This will always display the information for the *current authenticated user* which means that an unauthenticed user, even if able to request the phpinfo(); output wouldn't get those values for he/she isn't authenticated. Every authenticated user would only get *his* personal credentials which he/she should already know. So not much of a security issue there either.

-Stefan