Website - Common Security Mistake

Full Version: Website - Common Security Mistake

GovernmentSecurity.org > The Archives > Exploit Articles

chris105

Aug 12 2004, 11:35 AM

If the website you are testing against has no known exploits perhaps its worth giving this a try.

CODE

Hi,

Short Background
I did some googling, and I stumbled upon what appears to be a common problem
in many web sites. The problem is that people are editing of web pages with
textual editors while neglecting to make sure no residual files are left
behind. This doesn't sound like big news until now, but read on.

So what is the issue?
People are open their web pages with editors such as vi, kedit, etc, these
editors keep a temporary copy of the file in case of failure of the editor.
The naming convention used by these editors differs greatly, the best example
I can think of that might cause problems is vi, if vi fails for whatever
reason, while you were editing index.html, a file called .index.html.swp will
be left behind.

Why is this a problem you ask?
In the case of vi, the file .index.html.swp is both hidden, and with an
extension other than HTML, this means that if access to that file is
requested, the RAW content of the HTML will be returned. In case where the
HTML file is an PHP, or an .index.php.swp is found, values like DB
usernames/passwords, security mechanism or worse might be revealed to the
user requesting the file.

What can you do?
There isn't much you can do beside:
1) Avoid leaving these files behind
2) Make rules in Apache/whatever to block access to .swp, ~, etc files.

--
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.

Not an exploit as such, but can easily be used to much the same effect, perhaps a scanner could be written to detect if any of these files are on the webserver, I will see what I can do (im still using VB though (much to paradox's disgust)).

nuorder

Aug 12 2004, 12:39 PM

hey thats an intesting idea
also ~ in front of the filename is the backup created by vim unless you turn it off

Serhat

Aug 12 2004, 02:03 PM

QUOTE (chris105 @ Aug 12 2004, 11:35 AM)

I will see what I can do (im still using VB though (much to paradox's disgust)).

I am using VB also .. and yeah Paradox doesn't like it really...
He is much more of an ASM freak =P
Though nice idea.. should remind this =D

Serhat

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.