Zend framework configuration file information disclosure

Description
  • The Zend Framework uses a file named <strong>application.ini</strong> where various sensitive data is stored (such as database credentials). This file is located in the <strong>/application/configs</strong> directory. Normally this file is not dirrectly accessible but some developers improperly set the application root and make this file acessible from the web.
Remediation
  • Restrict access to this file or set your document_root to myapp/public and not myapp.. To restrict access to the file, create a .htaccess file in the directory "/application/configs" that contains the following line: <code><pre> deny from all </code> </pre>
References