CMS & Web Frameworks - Security Knowledge Base

Probe paths for WordPress, Drupal, Laravel, Symfony, and other CMS and frameworks. 43 scanner-probed paths explained, with attacker impact and remediation for each.

CMS & Web Frameworks

Probe paths for WordPress, Drupal, Laravel, Symfony, and other CMS and frameworks.

43 probed paths in this category.

_ignition/execute-solution

Laravel Ignition

Risk: Laravel Ignition's debug solution endpoint, when debug mode is on, allows unauthenticated remote code execution via CVE-2021-3129, giving an attacker full control of the application server.

Fix: Set APP_DEBUG=false in production, upgrade facade/ignition to a patched version, and block the _ignition route at the web server or WAF.

Risk: The Symfony Web Profiler exposes request data, database queries, configuration, environment variables, and session contents, giving an attacker deep insight into the application and potential credentials.

Fix: Disable the profiler in production (web_profiler bundle should load only in dev/test), and block /_profiler at the web server level.

_profiler/phpinfo

Laravel Debugbar

Risk: The Symfony/Laravel debug profiler exposes phpinfo, request data, environment variables, and database queries, leaking secrets and configuration that aid further attacks.

Fix: Disable the web profiler and debug toolbar in production, ensure APP_DEBUG=false, and deny access to _profiler paths at the web server.

_wpeprivate/config.json

WordPress

Risk: This WP Engine private config file can leak hosting configuration, internal paths, and credentials, aiding compromise of the WordPress site and its hosting account.

Fix: Deny web access to the _wpeprivate directory via server rules, keep private configuration out of the document root, and ensure the host returns 404 for such probes.

administrator/

Joomla Administrator Login

Risk: This is the Joomla administrator backend; reaching it confirms Joomla and exposes the admin login, where weak or default credentials, or a Joomla auth-bypass CVE, can grant full site control including template editing that yields PHP code execution.

Fix: Protect the /administrator directory with an additional HTTP auth layer or IP allowlist, enforce strong admin passwords with MFA, and keep Joomla core and extensions patched against known admin-access vulnerabilities.

administrator/index.php

Joomla Administrator Interface

Risk: The Joomla administrator login script confirms a Joomla install and provides the credential-entry point for the backend; successful login or an authentication-bypass flaw lets an attacker install malicious extensions and execute arbitrary PHP. Brute-force and CVE exploitation against this endpoint can fully compromise the site.

Fix: Restrict access to /administrator by IP or wrap it in server-level HTTP authentication, enable MFA and login rate-limiting in Joomla, and apply security patches promptly to close admin-bypass CVEs.

app_dev.php/_profiler/phpinfo

Symfony

Risk: The Symfony dev front controller combined with the profiler's phpinfo panel exposes the full PHP and application configuration, environment variables, and absolute paths, giving an attacker a detailed blueprint for further exploitation.

Fix: Never deploy app_dev.php or the dev front controller to production; remove it from the webroot, set APP_ENV=prod, and block /_profiler routes at the web server.

CHANGELOG.txt

CMS changelog file frequently used to fingerprint Drupal and other software versions

Risk: Discloses the exact CMS version and patch history, letting an attacker look up version-specific public exploits to target the installation precisely.

Fix: Delete or deny web access to CHANGELOG.txt and other version-fingerprinting files after deployment, and keep the CMS continuously updated.

community/

DNN CMS

Risk: Fingerprints a DNN (DotNetNuke) CMS install, letting an attacker target known DNN vulnerabilities such as unrestricted file upload and deserialization flaws for remote code execution.

Fix: Keep DNN patched to the current release, remove default/unused modules and install directories, and return a 404 for fingerprinting paths that do not correspond to real content.

config/database.yml

Rails Database Configuration

Risk: This Rails file contains database adapter, host, username, and password for each environment, giving an attacker direct credentials to the application's database.

Fix: Use environment variables or Rails encrypted credentials for DB settings, and ensure only the public/ directory is web-served so the config/ tree is unreachable.

core/Datavase/.env

Laravel

Risk: An exposed Laravel .env file leaks the APP_KEY, database credentials, mail and third-party API keys, and cache/session secrets, enabling full application takeover and decryption of signed data.

Fix: Store .env outside the public web root, add web server rules denying access to dotfiles, rotate any exposed keys immediately, and never commit .env to version control.

debug/default

Symfony

Risk: This Symfony debug endpoint, when reachable, exposes the profiler and detailed error output including stack traces, query data, and configuration, leaking internal structure and credentials. In affected versions the debug toolbar can be abused toward code execution.

Fix: Run production with APP_ENV=prod and APP_DEBUG=0 so debug and profiler routes are not registered, and ensure WebProfilerBundle is confined to dev/test requirements only.

debug/default/view

Symfony

Risk: Reaching the Symfony debug controller exposes the profiler interface, which discloses request internals, configuration, environment secrets, and stack traces useful for crafting further attacks.

Fix: Disable debug mode and the web profiler in production (APP_ENV=prod, debug=false) and ensure the WebProfilerBundle is only registered for the dev environment.

debug/default/view?panel=config

Laravel Debugbar

Risk: Reaches the Laravel Debugbar config panel, leaking environment variables, database credentials, app encryption key, and session details that enable session forgery and full application compromise.

Fix: Set APP_DEBUG=false and remove or disable Debugbar in production, ensure it is loaded only in local/dev environments, and return a 404 for the debug route.

debug/default/view?panel=config/frontend_dev.php

Symfony

Risk: An exposed Symfony web debug toolbar/profiler leaks application configuration, environment variables, database queries, session contents, and source paths, handing an attacker the data needed for deeper compromise.

Fix: Ensure APP_ENV is set to prod and the profiler/web-debug bundle is disabled or uninstalled in production; block /debug and /_profiler routes at the web server.

directus/items/users

Directus Users API

Risk: Reaching the Directus users collection can expose account records and, with a valid token, permits enumerating or modifying users and escalating to admin if role permissions are misconfigured.

Fix: Enforce role-based permissions and field-level access control on the directus_users collection, require authentication on all item endpoints, and disable public read access in the data model settings.

frontend/web/debug/default/view

Symfony

Risk: A reachable Yii/Symfony debug toolbar view exposes request details, configuration, database queries, and environment data, providing attackers with sensitive reconnaissance.

Fix: Disable the debug module in production environments, restrict it to allowed developer IPs only, and block debug routes at the web server level.

frontend_dev.php/$

Symfony

Risk: A reachable Symfony dev front controller runs the app in debug mode, exposing the web profiler, configuration, environment variables, and detailed stack traces that reveal internal paths and secrets.

Fix: Never deploy dev front controllers (app_dev.php/frontend_dev.php) to production; remove them from the build and ensure APP_ENV is set to prod with debug disabled.

geoserver

GeoServer

Risk: An exposed GeoServer instance is probed for CVE-2024-36401 OGC eval injection, allowing unauthenticated remote code execution, and for default admin/geoserver credentials granting full control of the geospatial data and underlying host.

Fix: Patch to a fixed GeoServer release, change the default admin credentials, and place the admin web interface behind authentication or network restrictions rather than the public internet.

geoserver/web/

GeoServer

Risk: The GeoServer web admin console allows configuring data stores and the WPS/OGC services, so reaching it enables exploitation of evaluation-expression RCE (CVE-2024-36401) or credential brute force to seize the server.

Fix: Block /geoserver/web/ from public access via firewall or reverse-proxy ACLs, enforce strong non-default admin credentials, and keep GeoServer and its GeoTools/commons-jxpath dependencies patched.

ghost/api/admin/posts

Ghost CMS Admin API

Risk: A leaked Ghost Admin API key allows an attacker to create, edit, or delete posts, inject malicious scripts or SEO spam into published content, and alter site settings.

Fix: Treat the Admin API key as a server-side secret with its key ID and secret kept out of front-end code, use the Content API for read-only client access, and rotate keys via the integration settings if exposed.

index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21

ThinkPHP

Risk: This is the ThinkPHP 5.x remote code execution payload (CVE-2018-20062 / CVE-2019-9082); a successful call_user_func_array invocation gives an unauthenticated attacker arbitrary PHP/command execution on the web server.

Fix: Upgrade ThinkPHP to a patched 5.0.24+/5.1.31+ release, enable the framework's route/controller filtering, and add WAF rules blocking requests containing the invokefunction/call_user_func_array pattern.

laravel/.env

Laravel environment file containing database credentials and app keys

Risk: Discloses APP_KEY, database credentials, mail and third-party API keys, allowing an attacker to decrypt sessions, forge signed data, and access connected services.

Fix: Confirm the web root points to public/ so .env stays outside it, add explicit web-server rules denying dotfiles, and rotate APP_KEY and all secrets if exposed.

lib/phpunit/Util/PHP/eval-stdin.php

PHPUnit

Risk: This PHPUnit utility evaluates PHP code from the request body (CVE-2017-9841), allowing unauthenticated remote code execution if it is web-accessible.

Fix: Remove PHPUnit and other dev dependencies from production deployments, keep vendor directories outside the web root, and update PHPUnit to a patched version.

readme.html

Default README file used to fingerprint WordPress and other CMS versions

Risk: Reveals the CMS (commonly WordPress) and its version, narrowing the attacker's exploit selection to vulnerabilities affecting that specific release.

Fix: Remove readme.html post-install or block it at the web server, and suppress version strings in headers and generator meta tags.

ReportServer

JasperReports Server

Risk: Identifies a reporting endpoint (JasperReports/SSRS); exposed instances can allow unauthenticated report access, parameter-based information disclosure, or known RCE/XXE flaws leading to data exfiltration or server compromise.

Fix: Require authentication on the report server, restrict it to internal networks or VPN, keep it patched, and disable anonymous or guest report execution.

sapi/debug/default/view

Symfony

Risk: A reachable Symfony/Yii-style debug view runs the application with debugging enabled, exposing stack traces, configuration, and internal application structure to attackers.

Fix: Disable debug mode in production, remove debug front controllers and modules from the build, and block debug routes at the web server.

sites/default/settings.php

Drupal site settings file containing database credentials and hash salt

Risk: If readable, leaks the Drupal database credentials, hash_salt, and config keys, enabling direct database access, session/token forgery, and full site compromise.

Fix: Ensure the web server returns 403 for settings.php (PHP should execute, never serve source), set file permissions to read-only for the web user, and store credentials outside the web root where possible.

solr/

Apache Solr

Risk: An unauthenticated Solr admin interface allows querying and modifying indexed data and, via the VelocityResponseWriter or config API, remote code execution on the search server.

Fix: Bind Solr to localhost or an internal network, require authentication and authorization, disable the Velocity response writer, and place it behind a reverse proxy with access controls.

storage/logs/laravel.log

Laravel application log that can leak stack traces, queries, and secrets

Risk: Reveals application stack traces, SQL queries with bound parameters, and sometimes credentials or tokens logged during errors, giving an attacker a detailed map of the app internals.

Fix: Ensure the document root is public/ so storage/ is never web-accessible, set APP_DEBUG=false in production, and restrict log file permissions.

strapi/api/content-manager/collection-types

Strapi Content Manager API

Risk: Access to Strapi's content-manager admin API exposes all collection schemas and entries and, with stolen admin credentials, permits creating/modifying content and users with full back-office control.

Fix: Lock down admin routes behind authentication, change default admin credentials, keep Strapi patched, and place the admin panel behind a VPN or IP allowlist rather than the public internet.

tech/drupal

Drupal probe path used to fingerprint Drupal installations

Risk: A response here fingerprints a Drupal install, signaling scanners to launch Drupal-specific exploits such as Drupalgeddon SQL injection and remote-code-execution attacks.

Fix: Return a clean 404 for fingerprinting probes, keep Drupal core and modules patched, and place a WAF rule in front of known Drupal exploit paths.

telescope/requests

Laravel Telescope debug-assistant requests panel that can expose application data

Risk: Exposes Laravel Telescope's captured HTTP requests, which can include session tokens, request payloads, query bindings, and other sensitive runtime data.

Fix: Disable Telescope in production (TELESCOPE_ENABLED=false) or gate it behind the gate() authorization callback in TelescopeServiceProvider so only authorized users reach /telescope.

web/debug/default/view

Symfony

Risk: An exposed Symfony web profiler exposes full request/response data, database queries, session contents, configuration, and environment variables for every request, letting an attacker harvest credentials and map the application internals. It can also enable remote code execution through the profiler's debug toolbar in older Symfony versions.

Fix: Ensure the web profiler and WebProfilerBundle are only loaded in the dev environment and never deployed to production, and confirm APP_ENV=prod and APP_DEBUG=0 so the /_profiler and debug routes are absent.

wlwmanifest.xml

Windows Live Writer manifest linked by WordPress, commonly probed to fingerprint installs

Risk: Its presence confirms a WordPress install and helps bots fingerprint the platform to select targeted exploits, though the file itself exposes no sensitive data.

Fix: Remove the manifest link with `remove_action('wp_head','wlwmanifest_link')` if Windows Live Writer is unused, and ensure the server returns a clean 404 without revealing version banners.

wp-admin/setup-config.php

WordPress installation setup wizard, probed to find unconfigured installs

Risk: On an unconfigured install this wizard lets an attacker point the site at their own database, gaining full admin control; on a configured site it confirms WordPress and its setup state.

Fix: Complete or remove the installation immediately, block `/wp-admin/setup-config.php` after setup, and ensure the server returns a clean 404 without exposing version or stack-trace details.

wp-config.php.bak

WordPress Configuration Backup

Risk: A backup of wp-config.php served as plain text exposes the WordPress database name, host, username, password, and secret auth keys, giving an attacker direct database access and the ability to forge session cookies.

Fix: Remove editor/backup artifacts from the webroot and configure the server to deny requests for .bak, .old, and similar backup extensions.

wp-config.php~

WordPress Configuration Temporary File

Risk: This editor swap/temp copy of wp-config.php is served as raw text rather than executed, leaking the WordPress DB credentials and salts that let an attacker read or tamper with the entire site database.

Fix: Delete editor temporary files from the document root and block trailing-tilde and other temp-file patterns at the web server.

wp-content/debug.log

WordPress debug log that can leak paths, queries, and errors when WP_DEBUG_LOG is enabled

Risk: If readable, this file leaks absolute server paths, database queries, plugin errors, and occasionally credentials or tokens, providing reconnaissance to chain further exploits.

Fix: Disable `WP_DEBUG_LOG` in production, write debug logs outside the web root, and deny direct HTTP access to `.log` files in the server configuration.

wp-content/plugins/hellopress/wp_mna.php

WordPress

Risk: A reachable webshell-style file dropped by a malicious or vulnerable WordPress plugin allows arbitrary file upload and command execution, giving an attacker full control of the site and its database.

Fix: Remove the offending plugin, scan the install for backdoor files and reinstall WordPress core/plugins from clean sources, and rotate all WordPress and database credentials.

wp-cron.php

WordPress pseudo-cron task runner, sometimes hit to trigger jobs or for DoS

Risk: Repeated direct requests can trigger scheduled jobs on demand and exhaust server resources, causing denial of service on shared or low-resource hosting.

Fix: Disable the HTTP-triggered cron with `define('DISABLE_WP_CRON', true)` and schedule a real system cron to call wp-cron at controlled intervals, optionally rate-limiting the path.

wp-json/wp/v2/users

WordPress REST API user-enumeration endpoint

Risk: This REST route enumerates valid WordPress usernames and author slugs, giving attackers precise targets for credential-stuffing and brute-force attacks against wp-login.

Fix: Restrict the users REST endpoint to authenticated requests via a `rest_endpoints` filter or security plugin, and avoid exposing author archives that reveal login slugs.

xmlrpc.php

WordPress XML-RPC endpoint, frequently abused for brute-force amplification and pingback DDoS

Risk: This endpoint enables `system.multicall` password brute-force amplification (hundreds of login attempts per request) and pingback-based reflective DDoS and SSRF against third parties.

Fix: Disable XML-RPC entirely if unused (via plugin or `add_filter('xmlrpc_enabled','__return_false')`), or block the file at the web-server level and disable the pingback method.

← All categories