CWE-433: Unparsed Raw Web Content Delivery

VariantIncomplete

The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.

View on MITRE
Back to CWE Lookup

Extended Description

If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-433: Unparsed Raw Web Content Delivery?+

CWE-433: Unparsed Raw Web Content Delivery is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server. If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.

What are the security consequences of Unparsed Raw Web Content Delivery?+

If exploited, CWE-433 (Unparsed Raw Web Content Delivery) it can compromise Confidentiality, leading to outcomes such as Read Application Data.

How do you prevent or mitigate Unparsed Raw Web Content Delivery?+

Recommended mitigations for CWE-433 include: Perform a type check before interpreting files. Do not store sensitive information in files which may be misinterpreted.

Which programming languages are affected by Unparsed Raw Web Content Delivery?+

CWE-433 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Unparsed Raw Web Content Delivery?+

MITRE documents real CVEs mapped to CWE-433, including CVE-2002-1886, CVE-2002-2065, CVE-2005-2029, CVE-2001-0330 and CVE-2002-0614. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-433 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More

CWE-433: Unparsed Raw Web Content Delivery | CWE Lookup | InventiveHQ