The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.
View on MITREIf code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.
Perform a type check before interpreting files.
Do not store sensitive information in files which may be misinterpreted.
No detection method information available for this CWE.
The following code uses an include file to store database credentials:
database.inc
The following code uses an include file to store database credentials:
database.inc
".inc" file stored under web document root and returned unparsed by the server
View Details".inc" file stored under web document root and returned unparsed by the server
View Details".inc" file stored under web document root and returned unparsed by the server
View DetailsChain: uppercase file extensions causes web server to return script source code instead of executing the script.
View DetailsCWE-433: Unparsed Raw Web Content Delivery is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server. If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.
If exploited, CWE-433 (Unparsed Raw Web Content Delivery) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
Recommended mitigations for CWE-433 include: Perform a type check before interpreting files. Do not store sensitive information in files which may be misinterpreted.
CWE-433 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-433, including CVE-2002-1886, CVE-2002-2065, CVE-2005-2029, CVE-2001-0330 and CVE-2002-0614. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-433 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.