Phpfastcache phpinfo publicly accessible (CVE-2021-37704)
Description
Phpfastcache versions prior to the patched release expose a publicly accessible phpinfo() diagnostic page when the "/vendor" directory is not properly restricted from web access. This information disclosure vulnerability (CVE-2021-37704) allows unauthenticated attackers to view detailed PHP configuration data, including environment variables, loaded modules, and system paths, which can be leveraged to plan more sophisticated attacks.
Remediation
Immediately upgrade Phpfastcache to version 8.0.8 or later, which removes the vulnerable phpinfo() exposure. Additionally, ensure the "/vendor" directory is blocked from public web access by configuring your web server appropriately:
For Apache, add to your .htaccess or virtual host configuration:
<Directory /path/to/vendor>
Require all denied
</Directory>For Nginx, add to your server block:
location /vendor {
deny all;
return 404;
}Verify the fix by attempting to access /vendor/phpfastcache/phpfastcache/docs/phpinfo.php directly - it should return a 403 or 404 error. Review any exposed information and rotate credentials if sensitive data may have been disclosed.