Description
PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation. PHP-FPM has a feature that allows setting up a status page to view that status of a PHP-FPM pool, configurable using the option pm.status_path.
On this server the PHP-FPM Status Page is publicly accessible. For security reasons, its recommended to keep your PHP-FPM status page private.
Remediation
For security reasons, its recommended to keep your PHP-FPM status page private. You can restrict access to certain IP addresses by using the allow keyword as shown below:
location ~ ^/(status|ping)$ {
access_log off;
allow 127.0.0.1;
allow 1.2.3.4#your-ip;
deny all;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
}
References
Related Vulnerabilities
Possible server path disclosure (Unix)
WordPress Plugin Simple History Information Disclosure (2.7.4)
WordPress Plugin Plugin:Newsletter 'data' Parameter Information Disclosure (1.5)
Server-based source code disclosures
WordPress Plugin Product Subtitle For WooCommerce Arbitrary File Disclosure (4.1)