PHP opcache-status page publicly accessible
Description
OPcache is a PHP performance optimization feature that stores precompiled script bytecode in shared memory, eliminating the need to load and parse scripts on each request. The opcache-status package provides a web-accessible dashboard that displays detailed information about the OPcache configuration and runtime statistics.
This vulnerability occurs when the opcache-status page is publicly accessible without authentication or access controls. The status page reveals sensitive system information including file paths, configuration settings, memory usage patterns, cached script locations, and internal application structure that could assist attackers in reconnaissance activities.
Remediation
Immediately remove the opcache-status page from production environments. If monitoring OPcache performance is required in production, implement the following security controls:
1. Restrict access by IP address - Configure web server rules to allow access only from trusted IP addresses:
# Apache .htaccess example
Require ip 192.168.1.0/24
Require ip 10.0.0.5
# Nginx example
location ~ opcache\.php$ {
allow 192.168.1.0/24;
allow 10.0.0.5;
deny all;
fastcgi_pass php-fpm;
}
2. Implement authentication - Require HTTP basic authentication or integrate with your application's authentication system
3. Use non-guessable URLs - Rename the file to a non-predictable name (e.g., opcache-a8f3k2j9.php)
4. Monitor access logs - Regularly review access logs for unauthorized access attempts
For development and staging environments, ensure these pages are not accessible from the public internet by placing them behind VPN or firewall restrictions.