Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. PHPUnit XML configuration disclosure

Author: Government Digital Service

PHPUnit XML configuration disclosure

What this means

PHPUnit XML Configuration Disclosure vulnerability is when improperly configured PHPUnit test suites expose sensitive XML configuration files (phpunit.xml, phpunit.xml.dist) to unauthorised users.

This issue often occurs due to misconfigurations in web servers that allow access to these files.

Why this is a problem

The exposure of these XML files can reveal sensitive details such as:

  • database credentials
  • API keys
  • environment configurations
  • debugging or logging settings

How to check if the problem is there

Attempt to browse to the affected URL path to determine if the file is accessible.

How to fix this

PHPUnit is a debugging framework and is not intended to be used on production systems.

You should plan to remove PHPUnit from your production systems.

If this is used in a development environment then consider restricting access to development websites only from trusted IP addresses or internal networks. Many security issues can arise from exposing development websites to the internet.

You can deny access to phpunit.xml files by modifying your .htaccess file.

Example configuration:

<FilesMatch "(phpunit.xml|phpunit.xml.dist)">Order Allow,Deny
Deny from all</FilesMatch>

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now