Skip to content

The danger of the default files

by on April 14, 2010
(This post was originally posted in my own personal blog)
During my current research I have found some default files that some web frameworks includes into their installations that can compromise the security of a website. It also can allow an attacker to determine which framework a web page is using.

The first of these files is from the symfony framework. They offer to the developers a useful script called frontend_dev.php which show internal information about the current install and the server. As you can see in the following screenshot the information can be very useful…

symponydebug

It’s deactivated by default and can be activated changing the “lib\config\config\settings.yml” file:

# Logging and debugging settings

web_debug: false # Enable the web debug toolbar

By default the framework is configure not to show the toolbar, but a lot of web pages (indexed by Google) have activate it and allow to any user to read the private data of their websites.

googlesympony

Moreover another default files that I found researching into the default Zend Server installation are the alias /server-info and /server-status. These are part of the mod_info module and, hopefully, in Zend Server, are configured to be access only from localhost:

<Location>
SetHandler server-info
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

<Location>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>

This is a secure default configuration that other domains using this Apache module should adopt for the security of their web pages. This is a problem discussed sometimes ago with the revelation of the /server-status file in twitter.com. It’s also known that other servers like Apache.org are offering his status and his info, but you can also found a lot of websites sharing their server-status and server-info pages.

I have found that these default files are not include in the wordlist of wfuzz or even Wikto. I don’t know why are they ignoring these files, but I’m going to add these to my default dictionaries files 🙂

Cheers!

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: