Inclusion of Sensitive Information in an Include File

Incomplete Variant

Structure: Simple

Description

If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.

Common Consequences 1

Scope: Confidentiality

Impact: Read Application Data

Potential Mitigations 2

Phase: Architecture and Design

Do not store sensitive information in include files.

Phase: Architecture and DesignSystem Configuration

Protect include files from being exposed.

Demonstrative Examples 1

ID : DX-104

The following code uses an include file to store database credentials:

database.inc

Code Example:Bad
PHP
php

Code Example:Bad
PHP
php

If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password.

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Inclusion of Sensitive Information in Source Code (CWE-540)