Problem Description: Server Path Disclosure Vulnerability
When using security scanning tools like 360 Website Security Check, you may receive a warning: "[Warning] Abnormal page causes server path disclosure." The root cause of this vulnerability is that the web application (e.g., PHP) outputs detailed error information (including sensitive data like server file paths and code snippets) directly to the browser when an error occurs. Attackers can use this information to understand the server structure and prepare for further attacks.
General Fix Strategy
The core principle is to disable the display of error messages to users in the production environment. The specific steps depend on your web application and server setup:
- Enable the application's built-in error handling system: If your web application (e.g., WordPress, Laravel) has its own error handling or debug management system, ensure it is correctly enabled and configured to log errors to a file instead of displaying them to users.
- Modify server configuration: If the application lacks built-in handling, you must configure the server environment accordingly.
Here are configuration methods for common environments:
1. PHP Application + Apache Server:
- Edit php.ini: display_errors = Off
- Edit httpd.conf or apache2.conf: php_flag display_errors off
- In PHP script: ini_set('display_errors', false);
2. IIS Server + ASP.NET:
- Create or modify web.config in the site root, configure customErrors mode.Specific Fix Steps for LNMP Environment
The following steps apply to servers built with the LNMP one-click installation package (Linux, Nginx, MySQL, PHP). Connect to your VPS/server via SSH (e.g., Xshell) before proceeding.
Step 1: Modify PHP Configuration (php.ini)
1. First, locate the php.ini file. Typically, use this command:
find / -name php.ini 2>/dev/nullIn a standard LNMP installation, the path is usually: /usr/local/php/etc/php.ini.
2. Open the file with a text editor (e.g., vi or nano):
vi /usr/local/php/etc/php.ini3. Search for the display_errors directive. Find a line similar to:
display_errors = On4. Change it to:
display_errors = Off5. Save and exit the editor (in vi, press Esc, then type :wq and press Enter).
Step 2: Modify PHP-FPM Configuration (php-fpm.conf)
For environments using PHP-FPM process manager, also check its configuration.
1. Open the PHP-FPM configuration file:
vi /usr/local/php/etc/php-fpm.conf2. Look for the php_flag[display_errors] or php_admin_value[display_errors] directive. It's more common to set it in php.ini, but sometimes it's overridden here.
3. If you find a configuration like <value name="display_errors">1</value> (possibly within a <pool> section), change its value to 0:
<value name="display_errors">0</value>4. Save and exit the editor.
Step 3: Restart Services for Changes to Take Effect
After modifying the configuration, you must restart PHP-FPM and Nginx services.
1. Restart PHP-FPM service:
/etc/init.d/php-fpm restart
# or
service php-fpm restart
# or (for LNMP one-click package)
/root/lnmp php-fpm restart2. Restart Nginx service:
/etc/init.d/nginx restart
# or
service nginx restart
# or (for LNMP one-click package)
/root/lnmp nginx restartYou can also use the LNMP package command to restart all services at once:
/root/lnmp restartVerification and Additional Notes
Verification: After applying the fix, rescan your site with the 360 Website Security Check tool. The vulnerability warning should disappear, and your security score should improve.
Important Notes:
- Error Logging: Turning off
display_errorsdoes not mean ignoring errors. Error messages are logged to the file specified byerror_log(also configured inphp.ini). Developers should regularly check the log file to identify and fix program issues. - Separate Development and Production Environments: It is strongly recommended to set
display_errors = Onin your local development environment for debugging, but always set it toOffin the online production environment. - Other Related Settings: To further hide information, consider setting
expose_php = Offinphp.inito hide the PHP version information.
By following these steps, you can effectively fix the server path disclosure vulnerability caused by PHP error display, thereby improving your website's security.