Vulnerability Development mailing list archives
Re: CGI source being exposed using "~"
From: irwan.ismail () GO2020-INC COM (Irwan Shahrin Ismail)
Date: Mon, 8 May 2000 10:50:48 +0800
A good practice is to have at least two machines, ie. one for development and another for production. You should only deploy to production after everything has been tested on development. This would also avoid temp and backup files to lay around on the production server. -----Original Message----- From: phi-vuldev () EXORSUS NET [mailto:phi-vuldev () EXORSUS NET] Sent: Monday, May 08, 2000 10:02 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: CGI source being exposed using "~" Heh. Real simple problem there :) Unix editors often leave backups as <originalfilename>~, your ISP is foolish enough to leave these files lying around in their web tree. You're just downloading the old versions of the scripts since the last edit with emacs, or vi or joe. A simple deny for *~ in the Apache config would fix it, preferably paired with something that regularly goes around deleting ~ files in the web tree. Beware that a fair few websites can suffer from this problem. We deny *~ *.old *.bak *.backup etc etc Phi
Current thread:
- Re: CGI source being exposed using "~", (continued)
- Re: CGI source being exposed using "~" Andrew Reisse (May 07)
- Re: CGI source being exposed using "~" Pavel Kankovsky (May 09)
- Re: CGI source being exposed using "~" javier (May 07)
- Re: CGI source being exposed using "~" Joe (May 08)
- Re: CGI source being exposed using "~" Bluefish (May 09)
- Re: CGI source being exposed using "~" Arturo Busleiman (May 08)
- Re: CGI source being exposed using "~" Jordan Dimov (May 08)
- Re: CGI source being exposed using "~" Adam Clarke (May 08)
- Re: CGI source being exposed using Labu Labi (May 08)
- Re: CGI source being exposed using "~" Jeremy Gaddis (May 07)
- Re: CGI source being exposed using "~" Irwan Shahrin Ismail (May 07)
- Re: CGI source being exposed using "~" George Capehart (May 08)
- Re: CGI source being exposed using "~" Brian McKinney (May 08)
- Re: CGI source being exposed using "~" Joe (May 09)
- Alternative ways of IP spoofing? Max.P (May 09)
- Re: Alternative ways of IP spoofing? Justin Randall (May 09)
- AIM bug or feature jeff D (May 09)
- Re: AIM bug or feature Alistair Orchard (May 09)
- Punishment Blue Boar (May 09)
- Re: AIM bug or feature Justin Lintz (May 10)
- Re: AIM bug or feature White Vampire (May 10)
- Re: CGI source being exposed using "~" Andrew Reisse (May 07)