CWE-530 将备份文件暴露给非授权控制范围
Exposure of Backup File to an Unauthorized Control Sphere
结构: Simple
Abstraction: Variant
状态: Incomplete
被利用可能性: unkown
基本描述
A backup file is stored in a directory that is accessible to actors outside of the intended control sphere.
扩展描述
Often, old files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 538 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 538 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 552 cwe_View_ID: 1000
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Application Data | At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site. |
可能的缓解方案
Policy
策略:
Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.