Sensitive Data Under Web Root| ID: 219 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
The application stores sensitive data under the web document
root with insufficient access control, which might make it accessible to
untrusted parties.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Confidentiality | Read application
data | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| ImplementationSystem Configuration | | Avoid storing information under the web root directory. | | |
| System Configuration | | Access control permissions should be set to prevent reading/writing of
sensitive files inside/outside of the web directory. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-219 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2005-1835 : Data file under web root.
- CVE-2005-2217 : Data file under web root.
- CVE-2002-1449 : Username/password in data file under web root.
- CVE-2002-0943 : Database file under web root.
- CVE-2005-1645 : database file under web root.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Sensitive Data Under Web Root | |
| OWASP Top Ten 2004 | A10 | Insecure Configuration Management | CWE_More_Specific |
References:None
