On Wed, 2004-01-28 at 15:38, Rich Bowen wrote: > I'm somewhat torn on this one. a rule like this encourages people to do > stupid things. Don't edit files on the live server.
There are other ways for these backup files to get into live server too.. Think about someone editing files, then doing wildcarded cvs import for the whole three with the backups and all (ofcourse this false into the category: stupid things) and then each time live server checks out the stuff, backups are there. Or Rsync whole directory structure to live. > On the other hand (running out of hands here) where do we draw the line. > Do we need a rule for vi swap files? MS Word swap files? Pico swap > files? My point for the post was that this should be told in the security tips pages as it might not be obvious to everyone who starts to configure apache the way they like it. And most cases, there are different people for writing the content files and for configuring apache. So you cannot just eliminate stupidity without heavy larting and bofhing. This didnt come to me as "yeah it would be fun to block these" but i actually withnessed someone probing my homesite. That prober had created a list of all files in my docroot with *.php extension and crawling thru them and then sending requests with same filename and ~ at the end. -- Jani Mikkonen <jani dot mikkonen at jippiigroup dot com> ADVOGATO Profile: http://www.advogato.org/person/rasjani Public key available from www.keyserver.net - ProPrivacy!
signature.asc
Description: This is a digitally signed message part
