Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

OPcache Status Exposure

By kannthu

Low
Vidoc logoVidoc Module
#config#exposure#status
Description

What is the "OPcache Status Exposure?"

The "OPcache Status Exposure" module is designed to detect a potential misconfiguration in the OPcache status of a website. OPcache is a caching engine for PHP that improves the performance of PHP applications by storing precompiled script bytecode in shared memory. This module focuses on identifying whether the OPcache status page is publicly accessible, which could potentially expose sensitive information about the server's configuration.

This module has a low severity level, indicating that the potential impact of the misconfiguration is relatively limited.

This module was authored by pdteam.

Impact

If the OPcache status page is exposed to the public, it may reveal sensitive information about the server's configuration. This could include details about the OPcache settings, such as whether it is enabled and the hit rate. Attackers could potentially use this information to gain insights into the server's PHP environment and exploit any vulnerabilities or weaknesses.

How does the module work?

The "OPcache Status Exposure" module sends HTTP requests to specific paths on the target website, such as "/opcache-status/", "/php-opcache-status/", and "/opcache-status/opcache.php". It uses the GET method to retrieve the content of these pages.

The module then applies matching conditions to the response body to determine if the OPcache status page is exposed. It looks for specific HTML elements, such as "opcache_enabled" and "opcache_hit_rate", to identify if the page contains information about the OPcache status.

If the matching conditions are met, the module reports a potential vulnerability, indicating that the OPcache status page is publicly accessible.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/opcache-status//php-opcache-status//opcache-status/opca...
Matching conditions
word: <th>opcache_enabled</th>, <th>opcache_hi...
Passive global matcher
No matching conditions.
On match action
Report vulnerability