Backup Folder

  • PCI 3.2-6.5.8
  • OWASP 2013-A7
  • CWE 538

Old, backup and unreferenced files present various threats to the security of a web application. They may;

  • disclose sensitive information that can facilitate a focused attack against the application; for example include files containing database credentials, configuration files containing references to other hidden content, absolute file paths, etc.
  • disclose unreferenced pages containing powerful functionality that can be used to attack the application; for example an administration page that is not linked from published content but can be accessed by any user who knows where to find it.
  • contain vulnerabilities that have been fixed in more recent versions; for example viewdoc.old.jsp may contain a directory traversal vulnerability that has been fixed in viewdoc.jsp but can still be exploited by anyone who finds the old version.
  • disclose the source code for pages designed to execute on the server.
Remediation

Do not store backup files on production servers.

References
Go Back to List

Search Vulnerability


You may also see