CWE-541: Inclusion of Sensitive Information in an Include File
Description
If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Example - 1
The following code uses an include file to store database credentials: database.inc login.php If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password.
<?php$dbName = 'usersDB';$dbPassword = 'skjdh#67nkjd3$3$';?>
<?phpinclude('database.inc');$db = connectToDB($dbName, $dbPassword);$db.authenticateUser($username, $password);?>
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.