Backup & Temp File Exposure (filename-derived)
High impact. If this is found on your site, treat it as urgent. It can lead to real damage and is worth fixing before anything else.
What it is
Probes backup and editor copies of your real source and config files (config.php.bak, index.php~, .env.old, vim .swp). Served as text, they leak credentials and source code.
How attackers abuse it
Input reaches a system shell, so the attacker runs their own commands on your server. That means full server takeover: read any file, install malware, pivot to your other systems.
Attacker playbook
- 1Find a feature that runs a system command (ping, file conversion, export).
- 2Inject an extra command and confirm it runs via output or a measured time delay.
- 3Escalate to a full shell, then read secrets and move deeper into the network.
How VibeSec detects and confirms it
VibeSec checks for this with a passive, read-only scan that is safe to run on any site. We use VibeSec native and ffuf and base the finding only on what your site already exposes publicly.
If this is in your report: how to fix it
- Never pass user input to a shell. Use language APIs instead of shelling out.
- If you must call a program, use an argument array, not a single command string.
- Validate input against a strict allow-list and run with the least privilege possible.
Check your site for this
Run a scan and see whether this affects you, in plain language with copy-paste fixes.
Scan your site for free