CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.1)  

CWE-433: Unparsed Raw Web Content Delivery

 
Unparsed Raw Web Content Delivery
Weakness ID: 433 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

The software stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.

Extended Description

If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.

+ Time of Introduction
  • Implementation
  • Operation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Confidentiality

Technical Impact: Read application data

+ Observed Examples
ReferenceDescription
CVE-2002-1886".inc" file stored under web document root and returned unparsed by the server
CVE-2002-2065".inc" file stored under web document root and returned unparsed by the server
CVE-2005-2029".inc" file stored under web document root and returned unparsed by the server
SECUNIA:11394".inc" file stored under web document root and returned unparsed by the server
CVE-2001-0330direct request to .pl file leaves it unparsed
CVE-2002-0614.inc file
CVE-2004-2353unparsed config.conf file
CVE-2007-3365Chain: uppercase file extensions causes web server to return script source code instead of executing the script.
+ Potential Mitigations

Clean up debug code before deploying the application.

Perform a type check before interpreting files.

Do not store sensitive information in files which may be misinterpreted.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness VariantWeakness Variant219Sensitive Data Under Web Root
Research Concepts (primary)1000
ChildOfCategoryCategory429Handler Errors
Development Concepts (primary)699
CanFollowWeakness BaseWeakness Base178Improper Handling of Case Sensitivity
Research Concepts1000
CanFollowWeakness BaseWeakness Base430Deployment of Wrong Handler
Research Concepts1000
CanFollowWeakness BaseWeakness Base431Missing Handler
Research Concepts1000
+ Relationship Notes

This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219).

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERUnparsed Raw Web Content Delivery
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description, Other_Notes, Relationship_Notes
2010-09-27CWE Content TeamMITREInternal
updated Description, Potential_Mitigations
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
Back to top
Page Last Updated: September 12, 2011
 

CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us