The PHP configuration file is used for running applications that require PHP. The major use of this file is to configure the properties of the variable. This includes upload size, file timeouts, resource limits etc. The PHP file might include Database ids and password details. An attacker with an average idea on the working of the credentials can exploit the vulnerability and he will be able to communicate directly with the database.
The following is a sample code present in a PHP configuration file.
; PHP_MEMORY_LIMIT is taken from environment
memory_limit = ${PHP_MEMORY_LIMIT}
Using this vulnerability, an attacker can:-
Beagle recommends the following impacts:-
define (DB_USER, "mysql_user");
define (DB_PASSWORD, "mysql_password");
define (DB_DATABASE, "database_name");
define (DB_HOST, "localhost");
?>
require ("configuration.php");
public class DatabaseConnect
{
function __construct()
{
mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die('Could not connect to MySQL server.');
mysql_select_db(DB_DATABASE);
}
}