Zach Shepherd's WordPress Blog

Just another WordPress weblog

Friday, November 30, 2007

Keep Apache from Displaying File Backups

It recently came to my attention that many people are unaware that apache will display the contents of a backup php file (e.g. “my1337password.php~”or “my1337password.php.bak”). This is because it doesn’t associate these files with the php parser. This can be easily prevented with a simple addition to the httpd.conf.

Example:
<Files ~ "\.(php|inc|config|cfg)(\~|\.bak|\.backup|\#)$">
Order allow,deny
Deny from all
Satisfy All
</Files>

posted by Zach at 11:52 pm  

3 Comments »

  1. Could you do this in a .htaccess file, for people without access to their server config?

    JT

    Comment by Jacob Torrey — December 1, 2007 @ 11:27 pm

  2. I haven’t personally tested this exact command in an htaccess file, but, by default, any directive that can be put in httpd.conf can be put into htaccess.

    (I say “by default” because the AllowOverride directive could be used to prevent use of other directives in htaccess files.)

    See http://wiki.apache.org/httpd/Htaccess for more information.

    Regards,
    Zach

    Comment by Zach — December 1, 2007 @ 11:40 pm

  3. People should seriously take this into consideration (maybe a default config?) I was looking for files on some of my sites, and wow, some of the stuff was juicy (i.e. DB passwords, …, though, none of the passwords were current)

    Thanks a lot.
    JT

    Comment by Jacob Torrey — December 11, 2007 @ 2:33 pm

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress