Hi
@uk01,
It's not a security issue in php-fpm, it happens with other handlers as well.
To be fair, in environments today the disable_functions ini setting isn't something that should be relied on, many environments (including shared) ships with handlers that allows overriding php.ini settings, including disable_functions, this means people can override the default ones provided by the host.
The stats the phpSysInfo gives are by no means a security issue, let me explain why:
Hostname:
It will be known to anyone anyway
Load:
This can be seen in cPanel under "Server Information" as well, the load doesn't reveal anything important other than the actual load. If you're offering SSH or have the "Terminal" in cPanel enabled, people can simply do "uptime" and they'll see the load.
Kernel Version:
Can be seen by "uname -a" through SSH or the "Terminal", "Server Information" in cPanel.
Memory:
This is exposed by the /proc/meminfo or free -m - revealed system memory doesn't matter.
Swap:
Same as for memory - it doesn't matter.
Processor Info:
Can be seen from /proc/cpuinfo - nothing secret here
Mounted File Systems:
Can be seen from /proc/mounts, nothing here is a secret.
Network usage:
This can be pulled from /proc/net/dev and doesn't contain any information that can't be known to customers.
Even if you're using CloudLinux that locks down things that shouldn't really be exposed to customers or between customers, there are still things like network usage, (some mounts) etc you can see. If you're afraid of this information being available, then you shouldn't host the clients on a server in first place.
But more importantly, you should realize that none of the information exposed by phpSysInfo should be seen as confidential or "secrets", you can hide a bunch of things using CloudLinux, but the exposed information when you're running CloudLinux is completely fine.
If you're afraid of the kernel version, then update the kernel frequently (and reboot) or use something like KernelCare that patches your kernel every 4 hours if there's new security updates.
Load, memory or swap isn't "secret", and what CPU you use shouldn't be a secret either.
Possible "hackers" can't really use much of this either, so I'm not sure what the actual problem is with this data being exposed.