0

I am doing an rundown/audit/exploration on a website, and I have found several pages on the live version of the sites domain that are not actually in use, such as example-page2.php or registration-test.php. They do have their counterparts being the proper versions of those pages such as just registration.php which are uploaded to the website, and are in use.

So although these pages are not actually linked anywhere they are still "live" and can be accessed if gone to directly so if I go to my site say example.com/registration-test.php I can see them some are half finished half broken half lorem-ipsum. I was just wondering how dangerous something like this could be for a website?

I understand some are linked to same process files and such as a live version so that could be dangerous as they could be used to exploit. However some I see just go to dead links/process pages or are stand alone and do nothing, also could like hackers change the -test.php from the page redirect like process-test.php and make it go to the live version?

If someone could explain how bad this could be in terms of practice or just if it is dangerous it would be a great help to fully explain this to the person whose site I am auditing

Meitie
  • 75
  • 1
  • 8
  • 3
    It is always good to keep the garbage out of your project. – Ropali Munshi May 21 '19 at 10:07
  • 1
    You should never use your live server as a dev server. As a general rule - delete any files that are no longer accessed. –  May 21 '19 at 10:11
  • i understand yes, i shall tell them that, but is there like a valid danger to having it there? – Meitie May 21 '19 at 10:12
  • like could someone use a test file to hack something? is that possible? – Meitie May 21 '19 at 10:12
  • Depends on your test file. When your testfile allows to execute arbitrary code, then yes. When your test file just counts from 0 to 10 and exits, then probably not – Kryptur May 21 '19 at 10:20
  • @Kryptur if it uses say ajax to go to `registration-process-test.php` could someone manip that to just go to `registration-process` in that way could it exectute code? – Meitie May 21 '19 at 10:23
  • Yes, javascript is client side. A user could change that to do different things. – Dirk Scholten May 21 '19 at 10:59
  • its suggested to remove all file that is not necessary for the live website. since the file can be access from direct URL its vulnerable to your server if that page can run JS code. – Fzstyle May 21 '19 at 11:39

0 Answers0