Configuration file source code disclosure
Description
A backup or temporary copy of a configuration file has been discovered in a web-accessible directory. This file contains PHP source code that is normally processed server-side but is being served as plain text because it lacks the standard .php extension. Text editors such as Vim and Emacs automatically create backup files with naming patterns like "wp-config.php~" or "#wp-config.php#" during editing sessions. When editing sessions terminate unexpectedly (due to crashes or connection drops) or when developers manually create backup copies, these files may remain on the server. Web servers typically serve these files as plain text rather than executing them as PHP, exposing sensitive source code and configuration data to unauthorized users.
Remediation
Immediately remove all backup and temporary configuration files from web-accessible directories. Implement the following preventive measures:
1. Configure your web server to deny access to common backup file patterns. For Apache, add the following to your .htaccess or server configuration:
<FilesMatch "\.(bak|backup|old|tmp|swp|swo|~|#)$|~$|^#"> Require all denied </FilesMatch>
For Nginx, add to your server block:
location ~ \.(bak|backup|old|tmp|swp|swo|~|#)$ {
deny all;
}
location ~ ~$ {
deny all;
}
location ~ ^# {
deny all;
}2. Configure text editors to store backup files outside the web root by setting appropriate editor preferences (e.g., Vim's 'backupdir' or Emacs' 'backup-directory-alist').
3. Implement automated scanning in your deployment pipeline to detect and prevent backup files from being deployed to production.
4. Establish organizational policies prohibiting the creation of backup files in web-accessible directories and provide secure alternative locations for configuration backups.