logo

Unparsed Raw Web Content Delivery

Incomplete Variant
Structure: Simple
Description

The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.

Extended Description

If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.
Common Consequences 1
Scope: Confidentiality

Impact: Read Application Data
Potential Mitigations 2
Phase: Architecture and Design
Perform a type check before interpreting files.
Phase: Architecture and Design
Do not store sensitive information in files which may be misinterpreted.
Demonstrative Examples 1

ID : DX-104

The following code uses an include file to store database credentials:
database.inc

Code Example:

Bad
PHP
php
login.php

Code Example:

Bad
PHP
php
If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password.
Observed Examples 7
CVE-2002-1886".inc" file stored under web document root and returned unparsed by the server
CVE-2002-2065".inc" file stored under web document root and returned unparsed by the server
CVE-2005-2029".inc" file stored under web document root and returned unparsed by the server
CVE-2001-0330direct request to .pl file leaves it unparsed
CVE-2002-0614.inc file
CVE-2004-2353unparsed config.conf file
CVE-2007-3365Chain: uppercase file extensions causes web server to return script source code instead of executing the script.
References 1
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Operation
Related Weaknesses
ChildOf: Storage of File with Sensitive Data Under Web Root (CWE-219)
Taxonomy Mapping
  • PLOVER
Notes
RelationshipThis overlaps direct requests (Direct Request ('Forced Browsing')), alternate path (Improper Protection of Alternate Path), permissions (Permission Issues), and sensitive file under web root (Storage of File with Sensitive Data Under Web Root).