PHP X Prober publicly accessible
Description
X Prober is a diagnostic tool that displays comprehensive PHP environment information on a single web page. When publicly accessible, it exposes detailed server configuration data including PHP version, installed extensions, system paths, environment variables, and performance metrics. This information disclosure can aid attackers in reconnaissance and attack planning.
Remediation
Remove X Prober completely from production environments as it is intended only for development and diagnostic purposes. If removal is not immediately possible, implement the following controls:
1. Restrict access using IP-based allowlisting in your web server configuration
2. Require authentication before accessing the tool
3. Move the file to a non-public directory outside the web root
For Apache, add IP restrictions in .htaccess or virtual host configuration:
<Files "x-prober.php"> Require ip 192.168.1.0/24 Require ip 10.0.0.1 </Files>For Nginx, add to your server block:
location ~* x-prober\.php$ {
allow 192.168.1.0/24;
allow 10.0.0.1;
deny all;
}Verify the tool is inaccessible from external networks after implementing restrictions.