Exam 312-50v13 topic 1 question 6 discussion

A. httpd.conf Explanation: httpd.conf – This is the main configuration file for the Apache HTTP Server. If misconfigured (e.g., enabling verbose error messages, directory listing, or exposing server-side paths), it can leak sensitive information to an attacker. php.ini – This file controls PHP behavior. While also important, it's less likely to directly control web server-level verbose errors unless PHP errors are enabled (display_errors = On), which can also be risky. administration.config – Not a standard or commonly known web server config file. idq.dll – This is a Microsoft Internet Information Services (IIS) file related to Index Server, and was notably associated with older exploits like Code Red II, but it’s not a configuration file in itself.

Correct: C (php.ini) If the php.ini or wp-config . php file is exposed and writable, attackers can modify their settings to manipulate the behavior of your web application... This can lead to: • Disabling security features, such as turning off error reporting or enabling dangerous PHP functions • Enabling or disabling extensions, which can affect the functionality of your application • Modifying logging settings to cover their tracks or store sensitive information ... https://www.linkedin.com/pulse/dangers-exposing-phpini-wp-configphp-configuration-files-bojan-vasic/ Can be A (httpd.conf) also correct? httpd.conf is Apache config, but the question is asking about config file ON the web server (not OF the web server) and file php.ini is for sure stored ON the web server and it is possible to enable verbose logging in php.ini. In httpd.conf is only one ErrorLog directive for Apache which refers to file log - https://httpd.apache.org/docs/2.4/mod/core.html