[CVE REQUESTED] phpinfo() Exposure on Ednovation's Production Subdomain
Summary
A publicly accessible PHP configuration page (phpinfo()
) was discovered on Ednovation’s production subdomain eproject.ednoland.com
.
The exposure reveals sensitive server configuration details, including environment variables, PHP extensions, loaded modules, and potentially database connection details.
Ednovation, headquartered in Singapore, is a leading provider of preschool education services across Asia, has evolved into a chain of more than 60 pre-schools and enrichment centres across Singapore, China and ASEAN.
Background & Discovery
During a directory listing review on the production subdomain https://eproject.ednoland.com/toolkits/
one of the files listed was conf.php
.
Accessing https://eproject.ednoland.com/toolkits/conf.php
resulted in a full phpinfo()
output dump.
Affected Product
- Vendor: Ednovation
- Subdomain:
https://eproject.ednoland.com
- Component: PHP configuration exposure
- Impact scope: Live production system
Vulnerability Details
The exposed phpinfo()
page contains:
- Full PHP version and build details
- Loaded extensions and their versions
- PHP configuration directives
- Environment variables
- Include paths
- HTTP headers from the request
- Server OS details
- Potential connection credentials (if stored in environment variables)
Exploitation
An attacker can leverage this exposure to:
- Fingerprint the PHP version, extensions, and server OS for targeted attacks.
- Locate sensitive values in environment variables (e.g., database passwords, API keys).
- Gain insights into server paths, configuration weaknesses, and enabled modules.
Impact
- Sensitive information disclosure — increases risk of targeted exploitation.
- Facilitates further attacks such as PHP exploits, library-specific vulnerabilities, or privilege escalation.
- Production system exposure — significantly raises the attack surface.
Mitigation
- Immediately remove public access to
conf.php
. - Avoid deploying diagnostic or debug pages to production environments.
- Restrict sensitive files behind authentication and server configuration rules.
Timeline
- 2025-07: Vulnerability discovered after reviewing public directory listing and responsibly reported to vendor
- 2025-07: Vendor acknowledged and deployed a patch
- 2025-07: Public disclosure and CVE request submitted.