Return

[OSS] Security risk of server side text editing

1 Name: Anonymous 2017-11-28 16:13
http://seclists.org/oss-sec/2017/q4/330

1. CVE-2017-1000382

This vulnerability was discovered by Hanno Böck. When editing a text
file in Vim, a .swp file is created in the same directory (if you edit
"foo", the swap file will be ".foo.swp"). Hanno pointed out that this
could create a security vulnerability on PHP enabled webservers as follows:

If a user goes to edit a .php file in the public_html directory (say
"foo.php"), a swap file will be created in the public_html directory
called ".foo.php.swp". This then exposes the contents of the PHP script
foo.php to the world. All someone has to do is go to
"http://example.com/.foo.php.swp"; and he can view the .swp file which
contains the contents of the original foo.php file.

Hanno pointed out that this causes a problem with Wordpress sites if the
site administrator edits the wp-config.php file in Vim: he exposes all
of the database credentials. This is made worse if Vim crashes while he
is editing it as then the .wp-config.php.swp file sticks around. He
claims he has found 750 websites that are vulnerable to this.

Return
Name:
Leave this field blank: