CWE-530: Exposure of Backup File to an Unauthorized Control Sphere

VariantIncomplete

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

View on MITRE
Back to CWE Lookup

Extended Description

Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.

Technical Details

Structure
Simple

Applicable To

Languages
Platforms

Frequently Asked Questions

What is CWE-530: Exposure of Backup File to an Unauthorized Control Sphere?+

CWE-530: Exposure of Backup File to an Unauthorized Control Sphere is a Common Weakness Enumeration (CWE) entry maintained by MITRE. A backup file is stored in a directory or archive that is made accessible to unauthorized actors. Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.

What are the security consequences of Exposure of Backup File to an Unauthorized Control Sphere?+

If exploited, CWE-530 (Exposure of Backup File to an Unauthorized Control Sphere) it can compromise Confidentiality, leading to outcomes such as Read Application Data.

How do you prevent or mitigate Exposure of Backup File to an Unauthorized Control Sphere?+

Recommended mitigations for CWE-530 include: Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-530 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More