PHP configuration can be exposed when pdirectory indexing has not been disabled to the config or cgi-bin folders. If developers have created backup copies of php configuration these can be accessed in situations where they cannot be parsed correctly due to a change in extension. Take db.php as an example, if the filename of the backup copy is db.php.old, the browser/php cannot parse it and therefore the file is downloaded instead (giving the hacker access to valuable database access information in this case).