PHP Lab: Prevent exposure of configuration/backup files from web root.
Introduction and background
A developer has created a web application in PHP, and the application makes use of configuration files from the config folder of the application. He also created a backup file for one of the configuration files within the config folder and forgot to remove it. The developer did not take any precautions to prevent directory listing of this folder. In this lab, we will discuss how an attacker attempts to gain access to sensitive data on the application using these minor mistakes.
Let's begin
The application is accessible from Kali Linux using the following URL.
Learn Secure Coding
http://192.168.56.101/webapps/environment/
When accessed from a web browser, it looks like this.
We do not have much detail on the web page to explore further. So, let us use a tool called Nikto to scan this application from this path.
Open a terminal in Kali Linux and scan the application as shown in the following screenshot.
As we can see in the above figure, Nikto has found some interesting information (Highlighted in Yellow).
Nikto found a folder named "config," and interestingly, directory indexing is not disabled.
Let's access this config folder in the web browser.
db.php.old appears to be a backup file for db.php. When db.old.php is accessed from a web browser, your PHP cannot parse it due to the change in extension. This file will be downloaded as shown below.
By default, Ice Weasel stores the downloaded files in the Downloads folder.
So, let's view the contents of this file using the following command.
This file has database connection details. If MySQL is exposed to other machines over the network, an attacker can connect remotely to the MySQL server and gain unauthorized access to the data.
Even if MySQL is not exposed over the network, an attacker who gains access to the machine where MySQL is running can still connect to the database using localhost as the server name.
How to avoid this?
We can make configuration changes to the Apache server and avoid directory indexing. This ensures that no user other than your application can access the files in the directory specified.
Switch to your Ubuntu server and run the following command with sudo as shown in the following figure.
Add an entry as highlighted in the following figure.
This ensures that config folder is protected.
Restart apache server using the following command for the changes to take place.
service apache2 restart
We can cross verify this by accessing the folder once again from Kali Linux as shown below.
We cannot access any files from config folder, but the application will run fine.
Learn Secure Coding
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- PHP Lab: Prevent exposure of configuration/backup files from web root.
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding