PHP opcache-gui publicly accessible
Description
PHP OPcache is a performance optimization feature that stores precompiled PHP bytecode in shared memory to eliminate repeated script parsing. The opcache-gui package provides a web-based status interface that displays detailed information about the OPcache configuration and cached files.
This vulnerability occurs when the opcache-gui status page is publicly accessible without authentication. The interface exposes sensitive technical details including file paths, server configuration, memory usage patterns, and cached script locations that should not be available to unauthorized users.
Remediation
Immediately remove or restrict access to the opcache-gui interface on production systems using one of the following methods:
Option 1: Remove the interface (Recommended for production)
Delete the opcache-gui files from the web-accessible directory entirely.
Option 2: Implement IP-based access control
Configure your web server to restrict access to authorized IP addresses only.
For Apache (.htaccess or virtual host configuration):
<Files "opcache.php">
Require ip 192.168.1.0/24
Require ip 10.0.0.5
</Files>
For Nginx (server or location block):
location ~ opcache\.php$ {
allow 192.168.1.0/24;
allow 10.0.0.5;
deny all;
fastcgi_pass php-fpm;
}
Option 3: Implement authentication
Add HTTP Basic Authentication to protect the interface. Ensure strong credentials are used and transmitted over HTTPS only.
After implementing restrictions, verify that the opcache-gui page is no longer accessible from unauthorized networks.