{"@ID": "433", "@Name": "Unparsed Raw Web Content Delivery", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.", "Extended_Description": "If code is stored in a file with an extension such as \".inc\" or \".pl\", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "219", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Web Based", "@Prevalence": "Often"}, {"@Name": "Web Server", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Implementation"}, {"Phase": "Operation"}]}, "Common_Consequences": {"Consequence": {"Scope": "Confidentiality", "Impact": "Read Application Data"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": "Perform a type check before interpreting files."}, {"Phase": "Architecture and Design", "Description": "Do not store sensitive information in files which may be misinterpreted."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-104", "Intro_Text": "The following code uses an include file to store database credentials:", "Body_Text": ["database.inc", "login.php", "If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password."], "Example_Code": [{"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:br": [null, null, null], "#text": "<?php$dbName = 'usersDB';$dbPassword = 'skjdh#67nkjd3$3$';?>"}}, {"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:br": [null, null, null, null], "#text": "<?phpinclude('database.inc');$db = connectToDB($dbName, $dbPassword);$db.authenticateUser($username, $password);?>"}}]}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2002-1886", "Description": "\".inc\" file stored under web document root and returned unparsed by the server", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1886"}, {"Reference": "CVE-2002-2065", "Description": "\".inc\" file stored under web document root and returned unparsed by the server", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-2065"}, {"Reference": "CVE-2005-2029", "Description": "\".inc\" file stored under web document root and returned unparsed by the server", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2029"}, {"Reference": "CVE-2001-0330", "Description": "direct request to .pl file leaves it unparsed", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-0330"}, {"Reference": "CVE-2002-0614", "Description": ".inc file", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-0614"}, {"Reference": "CVE-2004-2353", "Description": "unparsed config.conf file", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-2353"}, {"Reference": "CVE-2007-3365", "Description": "Chain: uppercase file extensions causes web server to return script source code instead of executing the script.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-3365"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "PLOVER", "Entry_Name": "Unparsed Raw Web Content Delivery"}}, "References": {"Reference": {"@External_Reference_ID": "REF-62", "@Section": "Chapter 3, \"File Handlers\", Page 74"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Relationship", "#text": "This overlaps direct requests (CWE-425), alternate path (CWE-424), permissions (CWE-275), and sensitive file under web root (CWE-219)."}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-10-14", "Modification_Version": "1.0.1", "Modification_ReleaseDate": "2008-10-14", "Modification_Comment": "updated Description, Other_Notes, Relationship_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-09-27", "Modification_Version": "1.10", "Modification_ReleaseDate": "2010-09-27", "Modification_Comment": "updated Description, Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Demonstrative_Examples, Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Weakness_Ordinalities"}]}}
