14

Often it occurs that when bulk uploading files somewhere, the author forgets that some of the files are being open by Vim and uploads their swap files as well. Can this leak some sensitive information, perhaps about the author's machine or network?

Petr
  • 517
  • 2
  • 10
  • Hmm, good point. I edit stuff on a live website with vim, but never thought about the swp files that might leak parts of the content... The odds are low that someone will try whether the swp file is present right at the moment when I'm editing, but it's a good point nevertheless. – Luc Aug 21 '14 at 14:01
  • @Luc If your remote vim crashes, then a forgotten swp file might remain there much longer, even get indexed by search engines etc. – Petr Aug 21 '14 at 18:01
  • +1 good question but you already know the answer. Good advice out there as to how to move the swap to /tmp on StackExchange etc. – zedman9991 Aug 21 '14 at 18:26

2 Answers2

9

The vim swap file contains the username of the author, the machine name of the computer where vim is running and some parts of the edited file.

Personally I wouldn't care if someone could read my machine name or username. But I think the bad part is the 'parts of the edited file' part:

While editing a database config file you could potentially leak your credentials. Most systems store this kind of data in secured files and forbid the viewing of this files e.g. by rules in the .htaccess or by using a php file (empty after interpreting). But I've never seen a rule for e.g. 'config.php.swp' file, neither will the php (or any other) interpreter help here. So this file would be viewable in plaintext by the user. That may have consequences.

An example: Wordpress can do updates on two ways: either you allow the webserver write access in its folders or you give it a ftp-login for its own webspace. This way Wordpress can update itself over ftp. Wordpress saves this ftp login in the database, and the db credentials is in a file named wp-config.php.

In the worst case someone could view wp-config.php.swp get access to your database and finally get full ftp access to the wordpress instance, only because someone forgot to quit vim properly or is working on this files by change.

Tokk
  • 1,348
  • 7
  • 10
2

Downloading .swp file 

C:\Users\user\Desktop\stuff\image-resize>curl http://mydomain/.smtp_config
    .php.swp -o .smtp_config.php.swp
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Cur
    rent
                                     Dload  Upload   Total   Spent    Left  Spe
    ed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
    100 12288    0 12288    0     0   387k      0 --:--:-- --:--:-- --:--:--  3
    87k

Decoding 

C:\Users\user\Desktop\stuff\image-resize>vim -r .smtp_config.php.swp  -c ":
w swpout.php" -c ":q!"

getting 

  C:\Users\user\Desktop\stuff\image-resize>cat swpout.php
    <?php

    $config = array(
       "uname"=>"uname",
       "pass"=>"pass",
       "host"=>"hostname",
       "port"=>"57"
    );

Attacker can download files without php extension (normal php/appache configuration) and decode it.

open source guy
  • 1,939
  • 9
  • 25
  • 27