Files on web servers Part I: History Files

In part I of the blog series, we will go over some "history" files that are commonly found on web servers.

What are history files?

Most interactive commandline programs (i.e. bash, python, less, etc.) save their command history in a file. This is done to give the user the opportunity to navigate through previous commands even if the program terminated in between.

Here are some common history files that you will most likely find in your home directory:

  • .bash_history
  • .histfile
  • .mysql_history
  • .node_repl_history
  • .python_history
  • .Rhistory
  • .sqlite_history
  • .lesshst
  • .wget-hsts
  • ...

Some programs might not store the file in the $HOME directory, but somewhere else or relative to the executed program.

What can be found?

I was curious how many popular websites have these files on their web servers, so I scanned the Alexa Top 1M. Due to the sheer amount of possible candidates, I limited my research to the following files:

  • .lesshst
  • .wget-hsts
  • .mysql_history
  • .sqlite_history

As I didn't want to obtain any sensitive information from any website, I matched the first few lines of each HTTP response against some keywords and then just counted the occurence. Due to this method, I might have missed a bunch of files that didn't have the keywords in their first lines.

.lesshst

The .lesshst is the history file for the less program, which is a commonly used tool to view contents of a file. The history file stores used commands or keywords that were used i.e. for searching within a file.

Keywords to identify this file are:

  • .less-history-file
  • .search
  • .shell

As those three categories imply, exposing this file on the web server might result in all file searches or shell commands being exposed. Depeding who was using less, it might contain parts of passwords, usernames, configuration options or source code.

I was able to identify about 160 files.

.wget-hsts

This file is created by wget when encountering HSTS websites. Each entry in this file is based on the following scheme:

# HSTS 1.0 Known Hosts database for GNU Wget.
# Edit at your own risk.
# <hostname>    <port>  <incl. subdomains>      <created>       <max-age>

Based on that header you can easily identify this file.

When this file is exposed it will leak the hostnames that the user connected to and got a HSTS header from the server. Depending on the context it might give away what websites, repositories or other internal web-based tooling that was used.

I count 25 occurrences.

.mysql_history

I guess this file does not need a lot of explanation. It's the history file of the well known mysql program. It logs all executed SQL queries and I simply used the select keyword to match against them.

This file is really critical as it contains all queries that were manually executed on the server, including information like:

  • database names
  • table and column names
  • parameters and values
  • etc.

There were 56 findings of this type.

.sqlite_history

This file is similar to the .mysql_history file, but it is produced by a different database management system - namely sqlite. Again, I've used the select keyword to identify the file.

However, I must have been unlucky with that matching rule, because in the end I had exactly 0 hits on that one. Maybe none of the big websites uses sqlite in production (which is understandable), or nobody has the .sqlite_history file exposed (which is good).

Fix it

Check your DocumentRoot regularly to see if any of those files exist and are exposed to the public. They should not!

Adjust your web server configuration to prevent access to those files.

-=-