PHP Config contain database IDs and passwords.

Sooraj V Nair
Published on
04 Jul 2018
1 min read

The PHP configuration file is used for running applications that require PHP. The major use of this file is to configure the properties of the variable. This includes upload size, file timeouts, resource limits etc. The PHP file might include Database ids and password details. An attacker with an average idea on the working of the credentials can exploit the vulnerability and he will be able to communicate directly with the database.


The following is a sample code present in a PHP configuration file.

    ; PHP_MEMORY_LIMIT is taken from environment
    memory_limit = ${PHP_MEMORY_LIMIT}



Using this vulnerability, an attacker can:-

  • gain full access to the server.
  • perform a data breach for gathering sensitive information.
  • Read, update and delete any data/tables from the database.
  • Execute commands on the underlying operating system.

Mitigation / Precaution

Beagle recommends the following impacts:-

  • Restrict access to this file or restrict the disclosure
    • This can be done by creating a new file named configuration file with unix permission set to 644.
        define (DB_USER, "mysql_user");
        define (DB_PASSWORD, "mysql_password");
        define (DB_DATABASE, "database_name");
        define (DB_HOST, "localhost");

  • The following will be the change in the main PHP file.
    require ("configuration.php");
    public class DatabaseConnect
    function __construct()
        mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die('Could not connect to MySQL server.');
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.