Description

PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation. PHP-FPM has a feature that allows setting up a status page to view that status of a PHP-FPM pool, configurable using the option pm.status_path.

On this server the PHP-FPM Status Page is publicly accessible. For security reasons, its recommended to keep your PHP-FPM status page private.

Remediation

For security reasons, its recommended to keep your PHP-FPM status page private. You can restrict access to certain IP addresses by using the allow keyword as shown below: 

location ~ ^/(status|ping)$ {
     access_log off;
     allow 127.0.0.1;
     allow 1.2.3.4#your-ip;
     deny all;
     include fastcgi_params;
     fastcgi_pass 127.0.0.1:9000;
}

References

PHP-FPM Status Page

Related Vulnerabilities

WordPress Plugin SL User Create Information Disclosure (0.2.4)

WordPress Plugin Wholesale Market Arbitrary File Download (2.2.0)

WordPress Plugin Cart66 Pro Arbitrary File Disclosure (1.5.3)

The Heartbleed Bug

PHP opcache-status page publicly accessible

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure