1. Introduction
A Backup File vulnerability occurs when unnecessary backup files are present on a web server. These backups can contain sensitive information, such as credentials or API keys, left over from previous file modifications. This poses a medium risk to confidentiality, integrity and availability if exploited by an attacker. Web applications and servers that routinely create file backups are typically affected.
2. Technical Explanation
- Root cause: Failure to remove obsolete backup files from the web server root directory.
- Exploit mechanism: An attacker adds common backup file extensions to URLs and checks for a 200 OK response, indicating the existence of a backup file.
- Scope: Web servers running any operating system or platform that allows file storage and retrieval are potentially affected.
3. Detection and Assessment
You can confirm vulnerability by checking for the presence of common backup file extensions on your web server. A thorough assessment involves scanning all files within the web root directory.
- Quick checks: Use a command-line tool to list files with specific extensions in the web root directory. For example, `ls -l *.bak` or `dir *.orig`.
- Scanning: Nessus plugin ID 10423 can identify backup files on web servers. This is an example only; results may vary.
- Logs and evidence: Review web server access logs for requests containing common backup file extensions, which could indicate reconnaissance attempts.
ls -l *.bak4. Solution / Remediation Steps
Remove obsolete backup files from the web server root directory to prevent unauthorized access to sensitive data. Ensure that any detected files containing credentials or private API keys are rotated and no longer active.
4.1 Preparation
- Ensure you have access to restore the original files if needed. A roll back plan involves restoring from the pre-change backup.
- Change windows may be required depending on service impact; approval from system owners is recommended.
4.2 Implementation
- Step 1: List all files with common backup extensions in the web root directory using a command like `find /var/www -name “*.bak”` or `dir /var/www*.bak`.
- Step 2: Securely delete each identified backup file using the `rm` (Linux) or `del` (Windows) command. For example, `rm /var/www/example.bak`.
- Step 3: Verify that no other backup files exist in subdirectories within the web root directory. Repeat steps 1 and 2 for each subdirectory as needed.
4.3 Config or Code Example
Before
/var/www/config.php /var/www/config.php.bakAfter
/var/www/config.php4.4 Security Practices Relevant to This Vulnerability
Implementing secure configuration practices and a robust patch management process can help prevent this vulnerability. Least privilege access reduces the impact if exploited, while regular file system reviews identify unnecessary files.
- Practice 1: Implement least privilege access controls to limit user permissions on web server files.
- Practice 2: Regularly review and remove obsolete or unused files from the web server root directory.
4.5 Automation (Optional)
A simple script can automate the removal of backup files. Use caution when running automated scripts, especially in production environments.
#!/bin/bash
find /var/www -name "*.bak" -delete
find /var/www -name "*.orig" -delete
# Add other extensions as needed
5. Verification / Validation
Confirm the fix by re-running the detection methods used earlier and verifying that no backup files are present. Perform a simple service smoke test to ensure functionality remains intact.
- Post-fix check: Run `ls -l *.bak` or `dir *.orig`. The output should be empty, indicating no backup files were found.
- Re-test: Re-run the scanner used in step 3 of Detection and Assessment to confirm that no backup files are reported.
- Smoke test: Verify that key web application features (e.g., login, data submission) continue to function as expected.
- Monitoring: Monitor web server access logs for requests containing common backup file extensions; any occurrences should be investigated.
ls -l *.bak6. Preventive Measures and Monitoring
Update security baselines to include a requirement for removing obsolete files. Incorporate checks in CI/CD pipelines to prevent the creation of backup files in production environments. Implement a regular patch or configuration review cycle.
- Baselines: Update your web server security baseline to require periodic removal of backup files.
- Pipelines: Add static analysis tools (SAST) to your CI/CD pipeline to identify and prevent the creation of backup files during deployment.
- Asset and patch process: Establish a regular schedule for reviewing and patching web servers, including checking for unnecessary files.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 1: Accidental deletion of important files; mitigation is to maintain a full server backup.
- Roll back: Restore the web server from the pre-change backup created in step 1 of Preparation.
8. References and Resources
- Vendor advisory or bulletin: Not applicable for this general vulnerability.
- NVD or CVE entry: Not applicable for this general vulnerability.
- Product or platform documentation relevant to the fix: http://www.webappsec.org/projects/threat/classes/information_leakage.shtml