Exposure of Backup File to an Unauthorized Control Sphere |
Weakness ID: 530 (Weakness Variant) | Status: Incomplete |
Description Summary
Extended Description
Often, old files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.
Scope | Effect |
---|---|
Confidentiality | At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site. |
Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot. |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ChildOf | ![]() | 538 | File and Directory Information Exposure | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | ![]() | 552 | Files or Directories Accessible to External Parties | Research Concepts1000 |
ChildOf | ![]() | 731 | OWASP Top Ten 2004 Category A10 - Insecure Configuration Management | Weaknesses in OWASP Top Ten (2004) (primary)711 |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
Anonymous Tool Vendor (under NDA) | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Common Consequences | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Description, Name | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-12-28 | Information Leak Through Backup (.~bk) Files | |||