Rapid7 Vulnerability & Exploit Database

PHP Temporary File Source Code Disclosure Vulnerability

Back to Search

PHP Temporary File Source Code Disclosure Vulnerability

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
11/01/2004
Created
07/25/2018
Added
11/01/2004
Modified
06/20/2013

Description

Various text editors automatically save backups of each file the user chooses to open with file names such as: file.ext~, #file.ext#, ~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old. If the user edits a PHP file in the web root, the backup that is created will not be parsed by the PHP engine upon request, but will instead be returned to the remote attacker unmodified. Thus, the script's source code is disclosed.

Solution(s)

  • remove-backup-web-files

References

  • remove-backup-web-files

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;