A backup file is stored in a directory or archive that is made accessible to unauthorized actors.
View on MITREOften, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.
At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site.
Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
No relationship information available for this CWE.
CWE-530: Exposure of Backup File to an Unauthorized Control Sphere is a Common Weakness Enumeration (CWE) entry maintained by MITRE. A backup file is stored in a directory or archive that is made accessible to unauthorized actors. Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.
If exploited, CWE-530 (Exposure of Backup File to an Unauthorized Control Sphere) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
Recommended mitigations for CWE-530 include: Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.
A CWE (Common Weakness Enumeration) like CWE-530 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.