Re: Temporary Files and Web Sites (swp, ~, etc)

["Marek Isalski" <Marek.Isalski () smuht nwest nhs uk>]

> > > <bugtraq () beyondsecurity com> 12/08/2004 07:45:20 >>>
> In case where the 
> HTML file is an PHP, or an .index.php.swp is found, values like DB 
> usernames/passwords, security mechanism or worse might be revealed to the 
> user requesting the file.

> What can you do?
> There isn't much you can do beside:
> 1) Avoid leaving these files behind
> 2) Make rules in Apache/whatever to block access to .swp, ~, etc files.

A "fix", really a bit of coding discipline, from my previous employers':

Every .php file that Apache could see just included the .inc file of the same name.  Includes were in a directory not 
accessible by Apache.  Very easy to automate with a script too -- a bit of find | sed | xargs can make sure all the 
.inc files had a respective .php in the "www root" directory that Apache could read.

Has the additional advantage that if your .PHP interpreter breaks and Apache starts serving the files as-is, again you 
don't lose your source code to your customers/the internet/etc.

Marek

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html