Unparsed Raw Web Content Delivery
Weakness ID: 433 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

The software stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server, resulting in an information leak.

Extended Description

If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this will result in an information leak that allows the attacker to compromise the application or associated components.

+ Time of Introduction
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2002-1886".inc" file stored under web document root and returned unparsed by the server
CVE-2002-2065".inc" file stored under web document root and returned unparsed by the server
CVE-2005-2029".inc" file stored under web document root and returned unparsed by the server
SECUNIA:11394".inc" file stored under web document root and returned unparsed by the server
CVE-2001-0330direct request to .pl file leaves it unparsed
CVE-2002-0614.inc file
CVE-2004-2353unparsed config.conf file
CVE-2007-3365Chain: uppercase file extensions causes web server to return script source code instead of executing the script.
+ Potential Mitigations

Clean up debug code before deploying the application.

Perform a type check before interpreting files.

Do not store sentitive information in files which may be misinterpreted, causing a possible information leak.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness VariantWeakness Variant219Sensitive Data Under Web Root
Research Concepts (primary)1000
ChildOfCategoryCategory429Handler Errors
Development Concepts (primary)699
CanFollowWeakness BaseWeakness Base178Failure to Resolve Case Sensitivity
Research Concepts1000
CanFollowWeakness BaseWeakness Base430Deployment of Wrong Handler
Research Concepts1000
CanFollowWeakness BaseWeakness Base431Missing Handler
Research Concepts1000
+ Relationship Notes

This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219).

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUnparsed Raw Web Content Delivery
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description, Other Notes, Relationship Notes
Back to top