====== Data in Web Root Vulnerability ======

Sensitive information available in public web server document root.

===== Exploits =====

Common configuration data (commonly "''.ini''"  files) in easily discoverable file names or extensions (via [[security:attack:cgi_scanning|CGI]], [[security:attack:directory_scanning|directory]] or other scanning method) are a common target.  Typically this data contains web database passwords or user information or other security sensitive information.

If the PHP interpreter becomes disabled for whatever reasons (commonly an admin wants to "quickly" upgrade the PHP version without proper testing and the engine gets disabled temporarily), then your [[revealing_source_code]] source code may be revealed]].

[[security:attack:cgi_scanning|CGI]], [[security:attack:directory_scanning|directory]], and other scanning attacks may be able to recognize common components in your web root, as well.

===== Remedy =====

  * Store all sensitive data (all non-essential to page or application functionality preferably) outside of the web root (perhaps right below it in a subdirectory).
  * Deny access to configuration or other data via directives in your web server.
    * For the Apache web server, [[http://httpd.apache.org/docs/howto/htaccess.html|.htaccess]] files can facilitate this.

===== Additional Information =====

  * [[revealing_source_code|Revealing Source Code Vulnerability]]
  * [[security:attack:cgi_scanning|CGI Scanning Attack]]
  * [[security:attack:directory_scanning|Directory Scanning Attack]]
  * See [[security:web_application_security|web application security]] and [[catalog|security vulnerabilities catalog]].