Zend framework configuration file information disclosure
Description
The Zend Framework stores application configuration settings, including database credentials and API keys, in a file named application.ini located in the /application/configs directory. When developers incorrectly configure the web server's document root to point at the application base directory instead of the /public subdirectory, this configuration file becomes directly accessible via HTTP requests. Attackers can exploit this misconfiguration to download the file and extract sensitive credentials and configuration data.
Remediation
Implement the following security measures to protect the configuration file:<br/><br/><strong>1. Configure the correct document root:</strong> Set your web server's document root to the <strong>/public</strong> directory (e.g., <code>/var/www/myapp/public</code>) rather than the application base directory. This ensures configuration files remain outside the web-accessible path.<br/><br/><strong>2. Restrict directory access using .htaccess (Apache):</strong> Create a <strong>.htaccess</strong> file in the <strong>/application/configs</strong> directory with the following content:<pre><Files "*"> Require all denied </Files></pre>For Apache 2.2 and earlier, use:<pre>Order deny,allow Deny from all</pre><br/><strong>3. For Nginx:</strong> Add the following location block to your server configuration:<pre>location ~* ^/application/configs/ { deny all; return 404; }</pre><br/><strong>4. Verify protection:</strong> After implementing these changes, attempt to access the file directly via your browser (e.g., <code>https://yoursite.com/application/configs/application.ini</code>) to confirm it returns a 403 Forbidden or 404 Not Found error.