Zend framework configuration file information disclosure

  • The Zend Framework uses a file named application.ini where various sensitive data is stored (such as database credentials). This file is located in the /application/configs directory. Normally this file is not dirrectly accessible but some developers improperly set the application root and make this file acessible from the web.
  • Restrict access to this file or set your document_root to myapp/public and not myapp.. To restrict access to the file, create a .htaccess file in the directory "/application/configs" that contains the following line:
      deny from all