Vulnerability Development mailing list archives
Re: CGI source being exposed using "~"
From: gwc () KMFMS COM (George Capehart)
Date: Mon, 8 May 2000 09:12:30 -0400
Irwan Shahrin Ismail wrote:
A good practice is to have at least two machines, ie. one for development and another for production. You should only deploy to production after everything has been tested on development. This would also avoid temp and backup files to lay around on the production server.
It is even worse than that. The vulnerability here is the server machine(s), the site itself and the admins running the site. Consider what is going on here. CGIs are being edited /on the serving machine/. That means (at least) that that machine is not stripped . . . it has emacs on it and enough peoples' login ids and passwords in /etc/passwd for anyone to play with. It is very likely that the machine in not in a DMZ 'cause someone was directly editing files on it . . . which nobody running a DMZ would allow. It is hard to see that there is anyone in the organization associated with that machine that has a real clue about security. That's a site just waiting to be compromised . . . At least that's the way I see it . . .
-----Original Message----- From: phi-vuldev () EXORSUS NET [mailto:phi-vuldev () EXORSUS NET] Sent: Monday, May 08, 2000 10:02 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: CGI source being exposed using "~" Heh. Real simple problem there :) Unix editors often leave backups as <originalfilename>~, your ISP is foolish enough to leave these files lying around in their web tree. You're just downloading the old versions of the scripts since the last edit with emacs, or vi or joe. A simple deny for *~ in the Apache config would fix it, preferably paired with something that regularly goes around deleting ~ files in the web tree. Beware that a fair few websites can suffer from this problem. We deny *~ *.old *.bak *.backup etc etc Phi
Current thread:
- Re: CGI source being exposed using "~", (continued)
- Re: CGI source being exposed using "~" Pavel Kankovsky (May 09)
- Re: CGI source being exposed using "~" javier (May 07)
- Re: CGI source being exposed using "~" Joe (May 08)
- Re: CGI source being exposed using "~" Bluefish (May 09)
- Re: CGI source being exposed using "~" Arturo Busleiman (May 08)
- Re: CGI source being exposed using "~" Jordan Dimov (May 08)
- Re: CGI source being exposed using "~" Adam Clarke (May 08)
- Re: CGI source being exposed using Labu Labi (May 08)
- Re: CGI source being exposed using "~" Jeremy Gaddis (May 07)
- Re: CGI source being exposed using "~" Irwan Shahrin Ismail (May 07)
- Re: CGI source being exposed using "~" George Capehart (May 08)
- Re: CGI source being exposed using "~" Brian McKinney (May 08)
- Re: CGI source being exposed using "~" Joe (May 09)
- Alternative ways of IP spoofing? Max.P (May 09)
- Re: Alternative ways of IP spoofing? Justin Randall (May 09)
- AIM bug or feature jeff D (May 09)
- Re: AIM bug or feature Alistair Orchard (May 09)
- Punishment Blue Boar (May 09)
- Re: AIM bug or feature Justin Lintz (May 10)
- Re: AIM bug or feature White Vampire (May 10)
- really fast data Ogrodnek, Larry (May 10)