[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Temporary Files and Web Sites (swp, ~, etc)

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Temporary Files and Web Sites (swp, ~, etc)
From: "Marek Isalski" <Marek.Isalski@xxxxxxxxxxxxxxxxxx>
Date: Thu, 12 Aug 2004 08:32:09 +0100

>>> <bugtraq@xxxxxxxxxxxxxxxxxx> 12/08/2004 07:45:20 >>>
> In case where the 
> HTML file is an PHP, or an .index.php.swp is found, values like DB 
> usernames/passwords, security mechanism or worse might be revealed to the 
> user requesting the file.

> What can you do?
> There isn't much you can do beside:
> 1) Avoid leaving these files behind
> 2) Make rules in Apache/whatever to block access to .swp, ~, etc files.

A "fix", really a bit of coding discipline, from my previous employers':

Every .php file that Apache could see just included the .inc file of the same 
name.  Includes were in a directory not accessible by Apache.  Very easy to 
automate with a script too -- a bit of find | sed | xargs can make sure all the 
.inc files had a respective .php in the "www root" directory that Apache could 
read.

Has the additional advantage that if your .PHP interpreter breaks and Apache 
starts serving the files as-is, again you don't lose your source code to your 
customers/the internet/etc.

Marek

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] Service Pack 2, don't discuss it here.
Next by Date: [Full-Disclosure] Re: Temporary Files and Web Sites (swp, ~, etc)
Previous by thread: RE: [Full-Disclosure] SP2 and NMAP
Next by thread: [Full-Disclosure] SUSE Security Announcement: gaim (SUSE-SA:2004:025)
Index(es):
- Date
- Thread