Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "PHPStan Configuration Exposure" module is designed to detect misconfigurations in the PHPStan configuration file. PHPStan is a static analysis tool for PHP that helps identify errors and potential issues in PHP code. This module focuses on identifying misconfigurations in the PHPStan configuration file, which can lead to security vulnerabilities or incorrect analysis results.
This module has a severity level of low, indicating that the impact of the detected misconfigurations may be limited.
If misconfigurations are found in the PHPStan configuration file, it can lead to inaccurate analysis results or expose sensitive information. This can potentially impact the overall security and reliability of the PHP codebase.
The "PHPStan Configuration Exposure" module works by sending an HTTP GET request to the /phpstan.neon
path. It then applies a series of matching conditions to determine if misconfigurations are present in the response.
The matching conditions for this module are as follows:
- The response body must contain the word "parameters:
".
- The response headers must not contain the words "text/html
" or "application/javascript
".
- The response status code must be 200
.
If all of these conditions are met, the module will report a vulnerability related to the exposure of the PHPStan configuration file.
For example, if the PHPStan configuration file is accessible at https://example.com/phpstan.neon
and the response body contains the word "parameters:
", the module will flag it as a misconfiguration.