Exposed settings.php
Description
Detects backup files of settings.php that may disclose sensitive information.
Remediation
To remediate an exposed settings.php file:
- Change file permissions to restrict public access. Set the file to be readable only by the server process (e.g., chmod 400 settings.php).
- Move sensitive information to a non-web-accessible location or environment variables if possible.
- Ensure the settings.php file is not included in any public repositories or backups.
- Implement access controls and firewall rules to limit access to the file.
- Regularly audit file permissions and access controls to ensure they remain secure.
- Update the .htaccess file to deny direct access to settings.php.
- Use security modules/plugins provided by the CMS to enhance file security.
- Regularly update the CMS and all associated plugins/modules to their latest secure versions.
Configuration
Identifier:
information_disclosure/exposed_settings.php
Examples
Ignore this check
checks:
information_disclosure/exposed_settings.php:
skip: true
Score
- Escape Severity: HIGH
Compliance
OWASP: API8:2023
pci: 2.2
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.12.3
nist: SP800-123
fedramp: SI-2
Classification
- CWE: 200