Prevent access to backup files
Nowadays, more and more sites are dynamic web applications, driven by WordPress, Joomla, Drupal… or other free, open source CMS, as well as custom “closed source” CMS. All of them are more or less vulnerable. According to Sam Ransbotham, as stated in “An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software” open source applications are more vulnerable then close source.
However, the intention of this post is not to favour open source or closed source, but to raise awareness concerning possible security issue.
The reasons for this issue is known as architecture of open source applications, for instance config files, etc.
Recently, a friend of mine, discovered possible vulnerability in one of my wordpress sites. The vulnerability was resulted by migrating the web site to another server, which require editing of wp-config.php in order to set up database connection. Usually, this kind of changes are made directly on the server. The most common server side text editor is vim, which by default creates backup files. Consequently, after editing of wp-config.php, backup file wp-config.php~, which is accessible as “text” file through web server, revealing database credentials to outer world.
Solution
The solution is extremely simple, by preventing access to backup files:
<Files ~ "\.php~">
Order allow,deny
Deny from all
Satisfy all
</Files>Conclusion
Just in case, always include this directive in your .htaccess file.
One Response to “Prevent access to backup files”
Leave a Reply
Loading ...
Simple solution for a complex problem, I love it!