Backup file found

0
Hello, We have encountered a security issue during blackbox penetration testing where some backup files were found. Description: Publicly accessible backups and outdated copies of files can provide attackers with additional attack surface. Depending on the server configuration and file type, they may also expose source code, configuration details, and other information intended to remain secret. Backup files: 1. https://xxxxxx/pages/en_US/xxxx/OrganizationLocation.page.xml.gz2. https://xxxxxxx/pages/en_US/xxxxx/xxxx.page.xml.gz?638369586387108259 How can we solve this issue? Does anyone have any suggestions?
asked
2 answers
0

Hi Thilothama,

 

I assume you mean with backup files older copies of pages and microflows, etc, given you example of backup files.

I see two ways in which you can handle this.

  1. You can exclude them from you project, in that way they are not exposed to the client iirc. You then don't have to throw them away from StudioPro and keep them as a 'backup'. 
  2. The other way is to rely on git/svn. You delete the files and log the commit somewhere in which you deleted them, by branching out just one commit before you still have the exact copy of the modeler at that point in time, including the later deleted StudioPro documents.

Let me know which option you choose and why.

answered
0

Those aren't backup files, those are the XML files your Mendix application needs to work. They describe how each page should be displayed and what data it expects.

 

In short, it's a false alert from your penetration testing.

answered