Full Disclosure mailing list archives
Re: Temporary Files and Web Sites (swp, ~, etc)
From: "Marek Isalski" <Marek.Isalski () smuht nwest nhs uk>
Date: Thu, 12 Aug 2004 08:32:09 +0100
<bugtraq () beyondsecurity com> 12/08/2004 07:45:20 >>>In case where the HTML file is an PHP, or an .index.php.swp is found, values like DB usernames/passwords, security mechanism or worse might be revealed to the user requesting the file.
What can you do? There isn't much you can do beside: 1) Avoid leaving these files behind 2) Make rules in Apache/whatever to block access to .swp, ~, etc files.
A "fix", really a bit of coding discipline, from my previous employers': Every .php file that Apache could see just included the .inc file of the same name. Includes were in a directory not accessible by Apache. Very easy to automate with a script too -- a bit of find | sed | xargs can make sure all the .inc files had a respective .php in the "www root" directory that Apache could read. Has the additional advantage that if your .PHP interpreter breaks and Apache starts serving the files as-is, again you don't lose your source code to your customers/the internet/etc. Marek _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Temporary Files and Web Sites (swp, ~, etc) Marek Isalski (Aug 12)