Re: CGI source being exposed using "~"

[irwan.ismail () GO2020-INC COM (Irwan Shahrin Ismail)]

A good practice is to have at least two machines, ie. one for
development and another for production. You should only deploy
to production after everything has been tested on development.
This would also avoid temp and backup files to lay around on
the production server.

-----Original Message-----
From: phi-vuldev () EXORSUS NET [mailto:phi-vuldev () EXORSUS NET]
Sent: Monday, May 08, 2000 10:02 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: CGI source being exposed using "~"

Heh. Real simple problem there :)

Unix editors often leave backups as <originalfilename>~, your ISP is
foolish enough to leave these files lying around in their web tree. You're
just downloading the old versions of the scripts since the last edit with
emacs, or vi or joe.

A simple deny for *~ in the Apache config would fix it, preferably paired
with something that regularly goes around deleting ~ files in the web
tree.

Beware that a fair few websites can suffer from this problem. We deny *~
*.old *.bak *.backup etc etc

Phi