https://issues.apache.org/bugzilla/show_bug.cgi?id=53111
Bug #: 53111
Summary: 1% of CMS sites expose database passwords
Product: Apache httpd-2
Version: 2.5-HEAD
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: All
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
As the following article explains, "Nearly 1% of websites built with a content
management system (like WordPress or Joomla) are unknowingly exposing their
database password to anyone who knows where to look."
https://www.feross.org/cmsploit/
This is due to a complex interaction between Apache, the user's text editor,
and the way those content management systems are configured. The root problem
is that if the user is editing a file like wp-config.php and the user's
connection drops, then a backup file like wp-config.php~ is saved within the
web root. Apache understands that a .php file should be run, not returned in
cleartext; but Apache doesn't know anything about .php~ files. Consequently,
Apache will return the entire contents of the file, in clear text -- exposing
any passwords that may be stored in that file.
I think there is an opportunity for Apache's default install to help protect
against this sort of failure. And, seeing as today it affects 1% of an
important class of web sites, I think that would be a valuable improvement to
Apache.
One plausible defense: Apache's default installation could recognize text
editor backup files and could (in its default configuration) refuse to serve
them.
A simple approximation at this would be to add .php~, .php#, cgi~, .cgi#,
.save, .swp, swo to the list of recognized extensions, and refuse to serve
files with that extension (in Apache's default configuration). Basically, this
is building a blacklist of files that Apache is not going to serve (in its
default configuration).
As a variant on this idea, the essay above suggests a rule like this:
<Files ~ “(^#.*#|~|\.sw[op])$”>
Order allow,deny
Deny from all
</Files>
See also:
http://nmap.org/nsedoc/scripts/http-config-backup.html
http://wordpress.org/support/topic/attack-against-wp-configphp-with-a-tilde
http://blog.tigertech.net/posts/wordpress-security-thoughts/
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
