| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: bugtraq at beyondsecurity.com (bugtraq@...ondsecurity.com) Subject: Temporary Files and Web Sites (swp, ~, etc) Hi, Short Background I did some googling, and I stumbled upon what appears to be a common problem in many web sites. The problem is that people are editing of web pages with textual editors while neglecting to make sure no residual files are left behind. This doesn't sound like big news until now, but read on. So what is the issue? People are open their web pages with editors such as vi, kedit, etc, these editors keep a temporary copy of the file in case of failure of the editor. The naming convention used by these editors differs greatly, the best example I can think of that might cause problems is vi, if vi fails for whatever reason, while you were editing index.html, a file called .index.html.swp will be left behind. Why is this a problem you ask? In the case of vi, the file .index.html.swp is both hidden, and with an extension other than HTML, this means that if access to that file is requested, the RAW content of the HTML will be returned. In case where the HTML file is an PHP, or an .index.php.swp is found, values like DB usernames/passwords, security mechanism or worse might be revealed to the user requesting the file. What can you do? There isn't much you can do beside: 1) Avoid leaving these files behind 2) Make rules in Apache/whatever to block access to .swp, ~, etc files. -- Thanks Noam Rathaus CTO Beyond Security Ltd. Join the SecuriTeam community on Orkut: http://www.orkut.com/Community.aspx?cmm=44441
Powered by blists - more mailing lists