Configuration file disclosure
Description
A backup or temporary copy of a web application deployment descriptor (web.xml) has been discovered in a publicly accessible directory. This file, which normally resides in the protected /WEB-INF/ directory, contains sensitive configuration information about the application's structure, servlets, filters, and security constraints.
These backup files are commonly created by text editors (such as Vim creating "web.xml~" or Emacs creating "web.xml.bak"), by developers during manual configuration changes, or by administrators performing system backups. When editing sessions are interrupted or backup files are not properly cleaned up, they may remain accessible through the web server, bypassing the normal access restrictions that protect the original file.
Remediation
Take immediate action to remove the exposed configuration file from the web server:
1. Identify and delete backup files:
find /var/www -type f \( -name '*~' -o -name '*.bak' -o -name '*.old' -o -name '*.orig' \) -delete
2. Configure your web server to deny access to backup file patterns:
For Apache, add to your .htaccess or virtual host configuration:
<FilesMatch "\.(bak|old|orig|save|~)$">
Require all denied
</FilesMatch>For Nginx, add to your server block:
location ~ \.(bak|old|orig|save|~)$ {
deny all;
return 404;
}3. Implement organizational policies:
- Prohibit editing configuration files directly on production servers
- Use version control systems instead of manual backup copies
- Configure text editors to store backup files outside web-accessible directories
- Implement automated scanning to detect and remove backup files during deployment
- Add backup file patterns to your .gitignore or deployment exclusion lists