Severity template misconfiguration/php-fpm-status.yaml #7773

bizibabe · 2023-07-26T18:50:03Z

bizibabe
Jul 26, 2023

Hello,
I think the severity of the template "misconfiguration/php-fpm-status.yaml" should be increased.

fpm-status allows you to see all web server requests in real time.
For example, a user clicks on a link to reset his password:

pid: 48753
status: inactive
start time: 26/Jul/2023:17:20:38 +0000
start since : 3991
requests : 94
query duration : 136287
request method : GET
request URI: /account/reset_password?token=f2eb7dc04bd461b7a9d
content length: 25
user : -
script : /var/www/html/public/index.php
last cpu request: 36.69
last memory request: 6029312

==> The attacker can then take control of the account

princechaddha · 2023-07-31T16:03:48Z

princechaddha
Jul 31, 2023
Maintainer

Hi @bizibabe, Thank you for taking the time to create this discussion. I have updated the severity from info to unknown here as the actual severity should depend on the host and the information it discloses. It wouldn't make sense to classify the severity as high for a host that doesn't expose any info. Thank you once again

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Severity template misconfiguration/php-fpm-status.yaml #7773

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Severity template misconfiguration/php-fpm-status.yaml #7773

bizibabe Jul 26, 2023

Replies: 1 comment

princechaddha Jul 31, 2023 Maintainer

bizibabe
Jul 26, 2023

princechaddha
Jul 31, 2023
Maintainer