Backup Folder
- PCI 3.2-6.5.8
- OWASP 2013-A7
- CWE 538
Old, backup and unreferenced files present various threats to the security of a web application. They may;
- disclose sensitive information that can facilitate a focused attack against the application; for example include files containing database credentials, configuration files containing references to other hidden content, absolute file paths, etc.
- disclose unreferenced pages containing powerful functionality that can be used to attack the application; for example an administration page that is not linked from published content but can be accessed by any user who knows where to find it.
- contain vulnerabilities that have been fixed in more recent versions; for example viewdoc.old.jsp may contain a directory traversal vulnerability that has been fixed in viewdoc.jsp but can still be exploited by anyone who finds the old version.
- disclose the source code for pages designed to execute on the server.
Remediation
Do not store backup files on production servers.