Storage of File with Sensitive Data Under Web Root
Draft Variant
Structure: Simple
Description
The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.
Besides public-facing web pages and code, products may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server is not configured or otherwise used to prevent direct access to those files, then attackers may obtain this sensitive data.
Common Consequences 1
Scope: Confidentiality
Impact: Read Application Data
Potential Mitigations 2
Phase: ImplementationSystem Configuration
Avoid storing information under the web root directory.
Phase: System Configuration
Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the web directory.
Observed Examples 5
CVE-2005-1835Data file under web root.
CVE-2005-2217Data file under web root.
CVE-2002-1449Username/password in data file under web root.
CVE-2002-0943Database file under web root.
CVE-2005-1645database file under web root.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Operation
Implementation
Related Weaknesses
Taxonomy Mapping
- PLOVER
- OWASP Top Ten 2004