Sensitive Data Under Web Root
Weakness ID: 219 (Weakness Variant)Status: Draft
+ Description

Description Summary

The application stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.
+ Time of Introduction
  • Operation
  • Implementation
+ Applicable Platforms



+ Observed Examples
CVE-2005-1835Data file under web root.
CVE-2005-2217Data file under web root.
CVE-2002-1449Username/password in data file under web root.
CVE-2002-0943Database file under web root.
CVE-2005-1645database file under web root.
+ Potential Mitigations

Avoid storing information under the web root directory.

Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the web directory.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class216Containment Errors (Container Errors)
Development Concepts (primary)699
Research Concepts1000
ChildOfWeakness ClassWeakness Class285Improper Access Control (Authorization)
Research Concepts (primary)1000
ChildOfCategoryCategory731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Weaknesses in OWASP Top Ten (2004) (primary)711
CanPrecedeWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts1000
ParentOfWeakness VariantWeakness Variant433Unparsed Raw Web Content Delivery
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERSensitive Data Under Web Root
OWASP Top Ten 2004A10CWE More SpecificInsecure Configuration Management
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2009-12-28CWE Content TeamMITREInternal
updated Relationships