It is possible to hide sensitive files on your web server, sometimes it is evern required. To be able to properly hide files, it is best to first learn how files might get exposed, then move on to how to hide them.
How Can Sensitive Files be Exposed on My Website?
Web servers maintain many files, often hundreds of files. These should be arranged in such a way that users of the application are only meant to see what the website wants them to see. Unfortunately, site maintenance or mistakes can reveal files to external sources which were not meant to be found. At the most obvious level, imagine a site kept a database of customer data, including credit card numbers. The database administrator needs to take a backup, and creates a plain text backup of the table, called customers.txt, and places it in a file on the webserver, but ensures it isn't linked from anywhere on the website. Now an attacker visits the site, and tries guessing some interesting names. They try the following URL:
They get all the customer data!
A more likely scenario (and more frequent) is backup files saved from the web files on a site. Some text editors make backup copies automatically, appending a ~ (tilde) to the end of the file. If the site is PHP, you might make a minor modification using a text editor in your site, and see the following on the webserver:
An attacker could now steal your source code by navigating to the following link:
Once they have this file, they can analyze it for additional vulnerabilities, or use your source code for other purposes!
How Does this Impact my Security?
Interesting files will not directly compromise a website. However, as shown above, data can be stolen or additional vulnerabilities more easily detected. When an interesting file is found by an automated scan, you should carefully evaluate the file to ensure it does not reveal any information which you would not want made public. Assume all interesting files are already public.
This message often contains false positives. Many text files which are not security risks may be present, and can be safely left alone.
Solutions
Evaluate if the file is a backup file or unneeded file. If so, remove the file or move it to a directory outside of the web directory, such as a dedicated backup folder. This will prevent outside users from viewing the data.
Alternately, you can configure your web server to NOT serve some file types. For Apache, you can add directives to your main Apache configuration file (httpd.conf) or .htaccess files in each folder. For example, a good start may be including the following list in your httpd.conf, and restarting Apache. This will prevent common interesting file types from being served, such as ~ backups, .bak, .txt, and htaccess (Apache configuration) files.
Files followed by a tilde is the same logically as the FilesMatch directive.
<Files ~ "\.bak"> Order allow,deny Deny from all </Files> <Files ~ "\.txt"> Order allow,deny Deny from all </Files> <Files ~ "~"> Order allow,deny Deny from all </Files>
Make sure you test these on a test server prior to configuring, and ensure that these types are not legitimate types for your site.
How Can Sensitive Files be Exposed on My Website?
Web servers maintain many files, often hundreds of files. These should be arranged in such a way that users of the application are only meant to see what the website wants them to see. Unfortunately, site maintenance or mistakes can reveal files to external sources which were not meant to be found. At the most obvious level, imagine a site kept a database of customer data, including credit card numbers. The database administrator needs to take a backup, and creates a plain text backup of the table, called customers.txt, and places it in a file on the webserver, but ensures it isn't linked from anywhere on the website. Now an attacker visits the site, and tries guessing some interesting names. They try the following URL:
Kod:
www.mysite.com/customers/customers.txtThey get all the customer data!
A more likely scenario (and more frequent) is backup files saved from the web files on a site. Some text editors make backup copies automatically, appending a ~ (tilde) to the end of the file. If the site is PHP, you might make a minor modification using a text editor in your site, and see the following on the webserver:
Kod:
[user:www]: ls index* index.php index.php~An attacker could now steal your source code by navigating to the following link:
Kod:
www.mysite.com/index.php~Once they have this file, they can analyze it for additional vulnerabilities, or use your source code for other purposes!
How Does this Impact my Security?
Interesting files will not directly compromise a website. However, as shown above, data can be stolen or additional vulnerabilities more easily detected. When an interesting file is found by an automated scan, you should carefully evaluate the file to ensure it does not reveal any information which you would not want made public. Assume all interesting files are already public.
This message often contains false positives. Many text files which are not security risks may be present, and can be safely left alone.
Solutions
Evaluate if the file is a backup file or unneeded file. If so, remove the file or move it to a directory outside of the web directory, such as a dedicated backup folder. This will prevent outside users from viewing the data.
Alternately, you can configure your web server to NOT serve some file types. For Apache, you can add directives to your main Apache configuration file (httpd.conf) or .htaccess files in each folder. For example, a good start may be including the following list in your httpd.conf, and restarting Apache. This will prevent common interesting file types from being served, such as ~ backups, .bak, .txt, and htaccess (Apache configuration) files.
Files followed by a tilde is the same logically as the FilesMatch directive.
Kod:
<FilesMatch "^\.ht"> Order allow,deny Deny from all </FilesMatch>
Kod:
Make sure you test these on a test server prior to configuring, and ensure that these types are not legitimate types for your site.
