Description

PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation. PHP-FPM has a feature that allows setting up a status page to view that status of a PHP-FPM pool, configurable using the option pm.status_path.

On this server the PHP-FPM Status Page is publicly accessible. For security reasons, its recommended to keep your PHP-FPM status page private.

Remediation

For security reasons, its recommended to keep your PHP-FPM status page private. You can restrict access to certain IP addresses by using the allow keyword as shown below: 

location ~ ^/(status|ping)$ {
     access_log off;
     allow 127.0.0.1;
     allow 1.2.3.4#your-ip;
     deny all;
     include fastcgi_params;
     fastcgi_pass 127.0.0.1:9000;
}

References

PHP-FPM Status Page

Related Vulnerabilities

WordPress Plugin Order Export & Order Import for WooCommerce Information Disclosure (1.0.8)

WordPress 4.7.x Multiple Vulnerabilities (4.7 - 4.7.24)

Zend Framework local file disclosure via XXE injection

WordPress Plugin MetaSlider Information Disclosure (3.3.1)

WordPress Plugin Welcart e-Commerce Information Disclosure (2.2.7)

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure