InVision: Backup of wordpress configuration file found. Leaking database users/passwords

2014-10-28T20:57:52
ID H1:33083
Type hackerone
Reporter internetwache
Modified 1970-01-01T00:00:00

Description

Hi there,

I noticed that there is a backup of the wordpress configuration file wp-config.php.orig publicly accessible.

This file contains some sensitive information about your wordpress installation, including database users/passwords and secret tokens

Proof

``` > curl http://██████████/wp-config.php.orig <?php

/ * The base configurations of the WordPress. * This file has the following configurations: MySQL settings, Table Prefix, * Secret Keys, WordPress Language, and ABSPATH. You can find more information * by visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing * wp-config.php} Codex page. You can get the MySQL settings from your web host. * This file is used by the wp-config.php creation script during the * installation. You don't have to use the web site, you can just copy this file * to "wp-config.php" and fill in the values. * @package WordPress /

define('WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST']); define('WP_HOME', 'http://' . $_SERVER['HTTP_HOST']);

if( preg_match("/^███████.invisionapp.com/", $_SERVER['HTTP_HOST']) ) { define('ENVIRONMENT', '████'); define('WP_DEBUG', false); define('MOBILEURL', '████.invisionapp.com'); define('DB_NAME', '███████'); define('DB_USER', '████████'); define('DB_PASSWORD', '█████████'); define('DB_HOST', '███');

} elseif ( $_SERVER['HTTP_HOST'] == "███.invisionapp.com" ) { define('ENVIRONMENT', '████████'); define('WP_DEBUG', false); define('MOBILEURL', '██████.invisionapp.com'); define('DB_NAME', '██████████'); define('DB_USER', '█████'); define('DB_PASSWORD', '████'); define('DB_HOST', '████');

} else { define('ENVIRONMENT', 'local'); define('WP_DEBUG', false); define('MOBILEURL', '████.invisionapp.com'); define('DB_NAME', '███'); define('DB_HOST', '████');

define('DB_USER', '██████████');
#define('DB_PASSWORD', '█████');
define('DB_PASSWORD', '██████████');

#define('DB_USER', '██████████');
#define('DB_PASSWORD', '███');

}

[....snip...]

define('AUTH_KEY', '█████'); define('SECURE_AUTH_KEY', '█████████'); define('LOGGED_IN_KEY', '████'); define('NONCE_KEY', '███'); define('AUTH_SALT', '██████'); define('SECURE_AUTH_SALT', '████'); define('LOGGED_IN_SALT', '███'); define('NONCE_SALT', '█████████'); ```

How to fix?

Do not store a .orig backup of the configuration file in a publicly accessible directory.

All the best, Sebastian