Dreamweaver lock files exposed

This is a warning to anyone out there using Dreamweaver to check files in and out from their web server. The lock files (.lck) that tell your colleagues that you have a file checked out can be indexed by google and reveal information such as your name, a username and your email address to anyone that looks for them. This came about when one of my friends who uses Dreamweaver discovered information from a lock file available freely on the internet.

As an example of how widespread this issue is, the following google search reveals all .lck files that are created for php files using the search inurl:"php.lck". Search Google for .lck files associated with php files

OK so how do I stop this?

Google has a special syntax that can be used in robots.txt files to prevent indexing of specific file extensions. Bear in mind this use of the asterisk wild card should not be used for other bots as it will fail.

User-agent: Googlebot
Disallow: /*.lck$

The problem with the robots.txt approach is that it doesn't actually prevent anyone else (people or bots) accessing the lock files. To achieve the desired result we can make use of an apache directive to deny access to all .lck files. This configuration can be used in a .htaccess file or added to httpd.conf and it works by using regex to pattern match all files ending in .lck. Any attempts to view the lock files will result in a 403 forbidden error. Time to get those custom error pages looking sexy.

<FilesMatch "\.(lck|LCK)$">
  order allow,deny
  deny from all
</FilesMatch>

For more information on the FilesMatch Apache directive please visit the apache 1.3 documentation pages.

comments powered by Disqus