Data in Web Root Vulnerability

Sensitive information available in public web server document root.

Common configuration data (commonly “.ini” files) in easily discoverable file names or extensions (via CGI, directory or other scanning method) are a common target. Typically this data contains web database passwords or user information or other security sensitive information.

If the PHP interpreter becomes disabled for whatever reasons (commonly an admin wants to “quickly” upgrade the PHP version without proper testing and the engine gets disabled temporarily), then your Revealed Source Code Vulnerability source code may be revealed]].

CGI, directory, and other scanning attacks may be able to recognize common components in your web root, as well.

• Store all sensitive data (all non-essential to page or application functionality preferably) outside of the web root (perhaps right below it in a subdirectory).
• Deny access to configuration or other data via directives in your web server.
  • For the Apache web server, .htaccess files can facilitate this.

• Revealing Source Code Vulnerability
• CGI Scanning Attack
• Directory Scanning Attack
• See web application security and security vulnerabilities catalog.