Old, backup and unreferenced files present various threats to the security of a web application. They may;

• disclose sensitive information that can facilitate a focused attack against the application; for example include files containing database credentials, configuration files containing references to other hidden content, absolute file paths, etc.
• disclose unreferenced pages containing powerful functionality that can be used to attack the application; for example an administration page that is not linked from published content but can be accessed by any user who knows where to find it.
• contain vulnerabilities that have been fixed in more recent versions; for example viewdoc.old.jsp may contain a directory traversal vulnerability that has been fixed in viewdoc.jsp but can still be exploited by anyone who finds the old version.
• disclose the source code for pages designed to execute on the server.

Do not store backup files on production servers.

• Predictable Resource Location
• Old, Backup and Unreferenced Files for Sensitive Information