Bitrix server test script publicly accessible
Description
A Bitrix server test script (bitrixsetup.php or similar diagnostic files) is publicly accessible without authentication. This script is designed for hosting providers and administrators to verify server configuration and compatibility with 1C-Bitrix CMS requirements. It displays detailed system information including PHP configuration, database settings, file permissions, and installed modules. These diagnostic scripts are intended only for initial setup and testing, not for production environments.
Remediation
Remove the Bitrix server test script from the production web server immediately. If the script must be retained for maintenance purposes, implement the following protections:
1. Move the script outside the web-accessible directory structure
2. Restrict access using web server configuration (example for Apache):
<Files "bitrixsetup.php">
Require ip 192.168.1.0/24
Require ip YOUR_ADMIN_IP
</Files>3. For Nginx, add to server configuration:
location ~* (bitrixsetup\.php|bitrix_server_test\.php) {
allow 192.168.1.0/24;
allow YOUR_ADMIN_IP;
deny all;
}4. Implement authentication requirements if access is needed
5. Regularly audit the web root directory for diagnostic and test files that should not be publicly accessible