Re: CGI source being exposed using "~"

[gwc () KMFMS COM (George Capehart)]

Irwan Shahrin Ismail wrote:
> A good practice is to have at least two machines, ie. one for
> development and another for production. You should only deploy
> to production after everything has been tested on development.
> This would also avoid temp and backup files to lay around on
> the production server.

It is even worse than that.  The vulnerability here is the server
machine(s), the site itself and the admins running the site.  Consider
what is going on here.  CGIs are being edited /on the serving machine/.
That means (at least) that that machine is not stripped  . . . it has
emacs on it and enough peoples' login ids and passwords in /etc/passwd
for anyone to play with.  It is very likely that the machine in not in a
DMZ 'cause someone was directly editing files on it . . . which nobody
running a DMZ would allow.  It is hard to see that there is anyone in
the organization associated with that machine that has a real clue about
security.  That's a site just waiting to be compromised . . .

At least that's the way I see it . . .

> -----Original Message-----
> From: phi-vuldev () EXORSUS NET [mailto:phi-vuldev () EXORSUS NET]
> Sent: Monday, May 08, 2000 10:02 AM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: CGI source being exposed using "~"
>
> Heh. Real simple problem there :)
>
> Unix editors often leave backups as <originalfilename>~, your ISP is
> foolish enough to leave these files lying around in their web tree. You're
> just downloading the old versions of the scripts since the last edit with
> emacs, or vi or joe.
>
> A simple deny for *~ in the Apache config would fix it, preferably paired
> with something that regularly goes around deleting ~ files in the web
> tree.
>
> Beware that a fair few websites can suffer from this problem. We deny *~
> *.old *.bak *.backup etc etc
>
> Phi