CWE-541: Information Exposure Through Include Source Code
Weakness ID: 541
If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.
Time of Introduction
Technical Impact: Read application
The following code uses an include file to store database
$dbName = 'usersDB';
$dbPassword = 'skjdh#67nkjd3$3$';
$db = connectToDB($dbName, $dbPassword);
If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password. Note this is also an example of CWE-433.
Phase: Architecture and Design
Do not store sensitive information in include files.
Phases: Architecture and Design; System Configuration