Description

A backup/temporary configuration file was found on this directory. It has been confirmed that this file contains PHP source code.

Several popular text editors like Vim and Emacs automatically create backup copies of the files you edit, giving them names like "wp-config.php~" and "#wp-config.php#". If the text editor crashes or the SSH connection drops during editing, then the temporary backup files may not be cleaned up correctly. Also, sometimes developers create this type of files to backup their work or by administrators when making backups of the web server. Most servers, including Apache, will serve the plaintext of .php~ and .php# files without passing them through the PHP preprocessor first, since they don't have the .php file extension.

Remediation

Remove this file from the web server. As an additional step, it is recommended to implement a security policy within your organization to disallow creation of temporary/backup files in directories accessible from the web.

References

Testing for Old, Backup and Unreferenced Files (OWASP-CM-006)

1% of CMS-Powered Sites Expose Their Database Passwords

Related Vulnerabilities

Source code disclosures

WordPress Plugin Download Zip Attachments Arbitrary File Download (1.0.0)

Version Disclosure (ASP.NET)

WordPress Plugin Duplicator-WordPress Migration Arbitrary File Disclosure (0.3.0)

WordPress Plugin Forums 'url' Parameter Arbitrary File Disclosure (1.4.3)

Severity

High

Classification

CWE-538 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Tags

Information Disclosure Test Files Source Code Disclosure