With all the precautions you can take to actively protect sensitive data on your web server, sometimes there are unintended consequences of your actions that may result in information disclosure.
Consider this scenario:
Adam is the administrator of a WordPress-based website. The database credentials have changed and Adam needs to update the WordPress configuration for the new username and password. Adam logs into the web server over SSH and opens up wp-config.php in Vim.
After making his changes, but before he can close Vim, Adam’s network connection goes down and the SSH session drops. Some time later Heather comes along and finds Adam’s website. Seeing that it’s a WordPress site she attempts to retrieve .wp-config.php.swp.
Because Adam’s SSH connection dropped before Vim was closed, the swap file that was automatically generated by Vim may still exist and could be retrieved by Heather using a simple HTTP GET request. Heather could extract Adam’s database credentials from this file.
Vim uses this swap file mechanism to make recovery possible after a crash. Other file editors have similar features.
This recovery can be very helpful but the unintended consequence here is that the web server isn’t going to interpret .wp-config.php.swp as a PHP file and will serve it as plain text instead, making the contents readable to anyone who cares to look.
Here are some tips and techniques that can be used to mitigate this sort of information disclosure:
- Don’t edit any files directly on the production server. Instead, make all file edits on a development or staging server and then only copy the specifically changed files to the production server. Make sure not to copy entire directories to avoid accidentally copying over these temporary files.
- Configure your text editors or any other applications you use to write their temporary files to a location other than the current directory. Or, if you can live without the functionality they provide, configure your editors not to write temporary files at all. Many applications allow for this sort of configuration. In Vim you can change your backup and swap file location by putting the following in your .vimrc file:
set backupdir=~/.vim/backup set directory=~/.vim/tmp
- Configure your web server to only serve pages with allowed file types. By explicitly configuring the web server to only serve certain file types any other files that accidentally end up on the web server will not be accessible. This not only covers the text editor temporary files already discussed but other files that might accidentally end up in the web root, such as backup files. In Apache this can be configured with the following setup:
Deny from all <FilesMatch "\.(html|php|jpg|png)$"> Allow from all </FilesMatch>
These techniques can be used individually or in combination to prevent accidental information disclosure due to unintended consequences of normal application use. If you haven’t been using these techniques these sorts of files may already exist on your web servers. Fortunately, WebApp360 will locate these files for you so they can be cleaned up.
Image courtesy of ShutterStock