Description

The Zend Framework uses a file named application.ini where various sensitive data is stored (such as database credentials). This file is located in the /application/configs directory. Normally this file is not dirrectly accessible but some developers improperly set the application root and make this file acessible from the web.

Remediation

Restrict access to this file or set your document_root to myapp/public and not myapp.. To restrict access to the file, create a .htaccess file in the directory "/application/configs" that contains the following line: 

  deny from all

References

Zend_Application Quick Start

Zend-Framework Full Info Disclosure

Related Vulnerabilities

Generic Email Address Disclosure

RSA Private Key Detected

WordPress pingback scanner

SVN Detected

Chrome Logger information disclosure

Severity

High

Classification

CWE-538 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure