Last night I used the WordPress Scanner on two of my blogs and I got this message.
dangerous-check-[0] PHP configuration file found in http://www.somewebsite.com/I guess it is complaining about the fact that I have a php.ini file. I guess there is a security implication I am do not know about. I googled php.ini and security and I did not get any hits. Can anybody provide me with some insight on the security issue?
BlogSecurity » Blog Archive » WordPress Scanner
1 response so far ↓
1 Philipp // Mar 25, 2008 at 2:39 pm
Hi,
Thank you for using BlogSecurity Applications. I’m not the maintainer of the WordPress Scanner, nor do I have insight into the code at all. But I would guess that this was caused because your php.ini file is accessable through the Web(don’t know if further checking of writeability is done). So this could be a security risk as an attacker could be able to modify your ini so it executes harmful code with every PHP Script or he’s able to change some Settings to run other Exploits easier.
That’s the only thing I can imagine what could cause this to be fired. I’m not sure how PHP searches for the php.ini file to use, but you should try to move this file one folder above your Webroot, which shouldn’t be accessable through the web anymore.
Leave a Comment