VIM Backups Can be a Security Risk for PHP Configuration Files


Update: Aug 26, 2010
As of Vim 7.3 this might not be an issue as Vim 7.3 contains a new feature:
- Blowfish encryption, encryption of the swap file

Vim is one of the best editors around without any doubt. It's been around for many years, it's well-proven, and has far more advanced features than many box-office ranking commercial editors.

So what's the small gripe about PHP security issue? Pretty simple actually. Often PHP config files will store passwords in plain text.

For example, the Wordpress config file wp-config.php stores the password in plaintext: 
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', '');
As this a PHP file, if you try to access the file directly, nothing is likely to be printed on screen as PHP will just parse this file: 
    http://example.com/wp-config.php
Now when you edit this file in Vim, Vim would create an automatic backup with the extesion wp-config.php~

So, the backup file would no longer be a PHP file but rather a text file because of the php~ extension. This would be dangerous because PHP wouldn't parse this backup file and the database username and password would be visible as plain text if you access the file directly: 
    http://example.com/wp-config.php~

Possible Solution:

One easy quick solution is simply to turn backup off in Vim.

With Laptop as development environments computers aren't prone to power failure crashes like PCs. So not having a backup wouldn't be a great risk. If historic backups are required then versioning would be strongly encouraged like CVS, SVN, Mercurial, Git, etc.

The No Backup Vim Directive:

Set the following directinve in your vim rc file. For windows _vimrc Unix .vimrc in your $HOME directory. 
    set nobk
That's it. Vim will no longer make a backup copy of the file you are editing.


Comments


Ben Fritz You say:

"As of Vim 7.3 this might not be an issue as Vim 7.3 contains a new feature:
- Blowfish encryption, encryption of the swap file"

But Vim only encrypts the file itself, the swap file, and the undo file. There is no mention of the backup files and the viminfo file is explicitly excluded from encryption. Additionally, this encryption only occurs when you explicitly enable it on a specific file, and PHP will not be able to read the file anyway if it is encrypted, so this is a non-solution. You should still be careful about turning off backup, or setting up your server to never serve up any files except from a whitelist (maybe of file extensions).

Note that if you use version control as suggested in the post, and if you keep your working directory on the server, the text of the file may be visible in some files stored in the working copy for the sake of version control, which may similarly not have the appropriate file extension.
Sanjib Hi Ben,

Thanks for the comment.

Perhaps a better solution would be to throw a HTTP 404 error via the webserver for any file matching a "~". For example in .htaccess:

RedirectMatch 404 /.*~$

Your Name:
Your Email:
Comment: