QwikSec

Security Database

CVE

CWE

Training

Back to CWE list

CWE-219

Storage of File with Sensitive Data Under Web Root

Variant

Draft

Description

The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.

Besides public-facing web pages and code, products may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server is not configured or otherwise used to prevent direct access to those files, then attackers may obtain this sensitive data.

Parent Weaknesses (ChildOf)

CWE-552: Files or Directories Accessibl...

Common Consequences

Scope

Confidentiality

Impact

Read Application Data

Potential Mitigations

Implementation

System Configuration

Avoid storing information under the web root directory.

System Configuration

Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the web directory.

CVE-2005-1835

Data file under web root.

CVE-2005-2217

Data file under web root.

CVE-2002-1449

Username/password in data file under web root.

CVE-2002-0943

Database file under web root.

CVE-2005-1645

database file under web root.

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.