3

My company website just take copies of the public html folder and keep zip files as backup in the same folder, I want to know if this is secure or not ? Because other people don't know the name for the zip file . Is there a way that a bad guy can brute force the zip-file name and download it ?

lasan
  • 317
  • 1
  • 3
  • 9
  • Nope, bad idea. https://www.troyhunt.com/the-red-cross-blood-service-australias-largest-ever-leak-of-personal-data/ – Ben Dec 03 '16 at 06:31
  • 5
    You effectively ask how good the protection is if the attacker does not know the name. I would consider this a duplicate of [Are random URLs a safe way to protect profile photos?](http://security.stackexchange.com/questions/58215/are-random-urls-a-safe-way-to-protect-profile-photos). See also [Scan all possible files on server (Brute force Filenames)](http://security.stackexchange.com/questions/79256/scan-all-possible-files-on-server-brute-force-filenames) for tools which can be used for this. – Steffen Ullrich Dec 03 '16 at 06:50

1 Answers1

2

It depends on what the file contains. If every file in the public_html directory is a file that is intended for public dissemination, in their original, plain-text content -- then yes, by all means. But for any website running a CMS or similar, there are probably files that contain information you don't want distributed -- like configuration information for a database on a WordPress or Drupal website. It would be foolish to rely only on an unlikely file name to keep your data safe.

Some backup services will keep .zip files in a public directory, but use some sort of protection within .htaccess (deny from all) to prevent these from being accessed. This is better than nothing, but still insufficient, because a minor change to the server configuration (changing the AllowOverride config) would render the .htaccess file powerless to control access to the directory, and the .zip files would be accessible.

My recommendation: keep ZIP files out of the public webroot, keep the permissions 600 for these files, and add a .htaccess with a "deny from all" directive in the folder as failsafe.

SDHO
  • 21
  • 2