CWE-541: Inclusion of Sensitive Information in an Include File

Description

If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Example Vulnerable Codes

Example - 1

The following code uses an include file to store database credentials:

database.inc


<?php$dbName = 'usersDB';$dbPassword = 'skjdh#67nkjd3$3$';?>

login.php


<?phpinclude('database.inc');$db = connectToDB($dbName, $dbPassword);$db.authenticateUser($username, $password);?>

If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-540: Inclusion of Sensitive Information in Source Code
Go to

Visit http://cwe.mitre.org/ for more details.