Editing a file with vim and exiting the program improperly on a public-facing web server can leave you vulnerable to leaking private data like db credentials, private keys etc.
A swp file is used by vim to store changes to a file along with other sensitive information like username and machine name.
Example:
SSHing into a live server to make a hotfix on a file using vim can turn credentials.php (which would normally be impossible to read the contents of) into credentials.php.swp (plaintext). This file can then be discovered by an attacker in file enumeration recon.
Mitigations include:
- Strict rules to prevent serving files matching an extension (for this, you can use
.htaccesson httpd) ie. block files matching/\.swp$/. Alternatively, use a file extension whitelist (e.g. only allow/\.php$/). - Use a file extension filter (rsync exclude) when transferring files to production (to prevent leaking local dev secrets).
- Do not directly alter files on production.
- Utilise a cleanup script (cron task?) to purge files with this file extension.
- Set your default vim swap file directory to a directory inaccessible to your web server using a command like
set directory^=$HOME/.vim/swap//(changing the directory to a ‘safe’ path)
