PHP OPcache Information Disclosure Vulnerability

By /

Listen to this Post

Featured Image
The article discusses a PHP OPcache information disclosure vulnerability that was awarded a $100 bounty on HackerOne. The vulnerability exposes sensitive information through /opcache/index.php, which could be exploited by attackers to gather critical server details.

You Should Know:

1. Understanding OPcache

OPcache improves PHP performance by storing precompiled script bytecode in shared memory, reducing the need for PHP to load and parse scripts on each request. However, misconfigurations can lead to information leaks.

2. Exploiting the Vulnerability

If OPcache statistics or debugging pages are publicly accessible, attackers can retrieve sensitive data such as:
– Server paths
– Cached scripts
– Environment variables

Check if OPcache is exposed:

curl -v http://target.com/opcache/index.php

3. Mitigation Steps

To prevent OPcache information disclosure:

Disable OPcache Statistics Page

Edit `php.ini`:

opcache.enable=1
opcache.enable_cli=0
opcache.enable_file_override=0
opcache.error_log=/var/log/php_opcache.log

Restrict Access via .htaccess (Apache)

<Files "opcache-">
Require all denied
</Files>

Nginx Restriction

location ~ ^/opcache/ {
deny all;
return 403;
}

4. Verify Fixes

Run a security scan using:

nmap --script http-php-opcache <target_IP>

5. Alternative Exploitation via Metasploit

If OPcache is misconfigured, attackers may use:

msfconsole
use auxiliary/scanner/http/php_opcache_leak
set RHOSTS <target_IP>
run

What Undercode Say

OPcache misconfigurations are a common source of information leaks in PHP applications. Always:
– Disable debugging interfaces in production.
– Restrict access to sensitive endpoints.
– Monitor logs for unauthorized access attempts.

Additional Security Commands

  • Check PHP Version for Vulnerabilities: 
    php -v
  • Scan for Exposed PHP Files: 
    dirb http://target.com /usr/share/wordlists/dirb/common.txt -X .php
  • Audit PHP Configurations: 
    grep -r "opcache" /etc/php/

Expected Output:

A secure PHP environment where OPcache statistics are not publicly accessible, reducing the risk of sensitive data exposure.

Reference: HackerOne Report

References:

Reported By: Alhasan Abbas – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: