CWE-541: Inclusion of Sensitive Information in an Include File
If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
Do not store sensitive information in include files.
Phase
Description
Protect include files from being exposed.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
The following code uses an include file to store database credentials:
database.inc
The following code uses an include file to store database credentials:
database.inc
CWE Relationships
Frequently Asked Questions
What is CWE-541: Inclusion of Sensitive Information in an Include File?+
CWE-541: Inclusion of Sensitive Information in an Include File is a Common Weakness Enumeration (CWE) entry maintained by MITRE. If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.
What are the security consequences of Inclusion of Sensitive Information in an Include File?+
If exploited, CWE-541 (Inclusion of Sensitive Information in an Include File) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
How do you prevent or mitigate Inclusion of Sensitive Information in an Include File?+
Recommended mitigations for CWE-541 include: Do not store sensitive information in include files. Protect include files from being exposed.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-541 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.