How a Misconfigured PHP Directive Exposed Internal Server Paths

Introduction

During security testing on the inDrive careers platform, I discovered that the file /.user.ini was publicly accessible. This file contained sensitive PHP configuration directives that disclose internal server information and reveal the presence of a globally prepended PHP bootstrap file.

Although no direct exploitation was performed, this issue significantly aids attacker reconnaissance and could enable follow‑on attacks such as Local File Inclusion (LFI) or targeted code analysis.

The file revealed the following configuration:

auto_prepend_file='/var/www/html/aios-bootstrap.php'

This disclosure exposes:

  • Internal filesystem structure
  • The existence and location of a PHP bootstrap file executed before every PHP request

Such information should never be exposed publicly and represents a Medium‑severity Information Disclosure vulnerability.

Technical Details

What is .user.ini?

.user.ini is a PHP configuration file used to apply per-directory PHP settings, similar to .htaccess but specific to PHP. One of the most powerful directives it can contain is:

auto_prepend_file

This directive forces PHP to execute a specific file before every PHP script, making it a critical security component.

Exposed Configuration

The exposed file contained:

auto_prepend_file='/var/www/html/aios-bootstrap.php'

This tells us:

  • The application runs under /var/www/html/
  • A file named aios-bootstrap.php is globally included
  • The server uses AIOS (All In One Security) or a similar security layer

Steps to Reproduce

  1. Open a browser
  2. Navigate to:

3. Observe that the file contents are returned directly without restriction

None

📸 (Screenshot attached in the report)

Security Impact

1. Internal Path Disclosure

Reveals exact filesystem paths such as:

/var/www/html/

This information significantly helps attackers during reconnaissance.

2. Identification of Globally Executed Code

Knowing that aios-bootstrap.php is executed before every PHP request:

  • Narrows the attack surface
  • Helps attackers target a high‑impact file
  • Increases the severity of any future LFI or RFI vulnerabilities

3. Enables Follow‑On Attacks

This information can be leveraged for:

  • Local File Inclusion exploitation
  • Targeted source code disclosure
  • Configuration poisoning attacks
  • Chaining with upload or traversal vulnerabilities

Severity Assessment

Category Rating Vulnerability TypeIn formation Disclosure OWASPA05:2021 — Security Misconfiguration Impact Medium Exploitability Context‑dependent

While this issue alone does not lead to direct compromise, it lowers the bar for successful attacks and should be addressed promptly.

1- Block public access to dotfiles

. Configure web server (Nginx / Apache) to deny access to files starting with .

2- Review the referenced bootstrap file

Ensure aios-bootstrap.php does not contain:

  • Hardcoded secrets
  • Debug logic
  • Insecure include statements

3- Harden PHP configuration

. Restrict auto_prepend_file usage where possible

. Apply least‑privilege file permissions

Conclusion

Exposing .user.ini files publicly is a subtle but dangerous misconfiguration. While often overlooked, such disclosures provide attackers with valuable intelligence that can be chained with other vulnerabilities for real impact.

Fixing this issue early significantly strengthens the application's security posture and reduces future risk.

References

  • PHP Manual — auto_prepend_file
  • OWASP Top 10 — Security Misconfiguration
  • Nginx & Apache Hardening Guides

Executive Summary

The endpoint below was accessible without authentication:

Best Regards,

Kareem Husein