CWE

Exposure of Backup File to an Unauthorized Control Sphere

ID: 530		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: INCOMPLETE
Abstraction Type: Variant

Description

A backup file is stored in a directory that is accessible to actors outside of the intended control sphere.

Extended Description

Often, old files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.

Applicable Platforms
None

Time Of Introduction

• Implementation
• Operation

Common Consequences

Scope	Technical Impact	Notes
Confidentiality	Read application data	At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site.

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Policy		Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.

Relationships

Related CWE	Type	View	Chain
CWE-530 ChildOf CWE-895	Category	CWE-888

Demonstrative Examples
None

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
Anonymous Tool Vendor (under NDA)

References:
None