1. Home
  2. CWE Database
  3. CWE-433
Variant · Low-Medium

CWE-433: Unparsed Raw Web Content Delivery

The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.

CWE-433 · Variant Level ·7 CVEs ·2 Mitigations

Description

The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.

If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.

Potential Impact

Confidentiality

Read Application Data

Demonstrative Examples

The following code uses an include file to store database credentials:
database.inc
Bad
<?php$dbName = 'usersDB';$dbPassword = 'skjdh#67nkjd3$3$';?>
login.php
Bad
<?phpinclude('database.inc');$db = connectToDB($dbName, $dbPassword);$db.authenticateUser($username, $password);?>
If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password.

Mitigations & Prevention

Architecture and Design

Perform a type check before interpreting files.

Architecture and Design

Do not store sensitive information in files which may be misinterpreted.

Real-World CVE Examples

CVE IDDescription
CVE-2002-1886".inc" file stored under web document root and returned unparsed by the server
CVE-2002-2065".inc" file stored under web document root and returned unparsed by the server
CVE-2005-2029".inc" file stored under web document root and returned unparsed by the server
CVE-2001-0330direct request to .pl file leaves it unparsed
CVE-2002-0614.inc file
CVE-2004-2353unparsed config.conf file
CVE-2007-3365Chain: uppercase file extensions causes web server to return script source code instead of executing the script.

CWE-219: Storage of File with Sensitive Data Under Web Root

The product stores sensitive data under the web document root with insufficient access control, which might make it acce...

Taxonomy Mappings

  • PLOVER: — Unparsed Raw Web Content Delivery

Frequently Asked Questions

What is CWE-433?

CWE-433 (Unparsed Raw Web Content Delivery) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.

How can CWE-433 be exploited?

Attackers can exploit CWE-433 (Unparsed Raw Web Content Delivery) to read application data. This weakness is typically introduced during the Implementation, Operation phase of software development.

How do I prevent CWE-433?

Key mitigations include: Perform a type check before interpreting files.

What is the severity of CWE-433?

CWE-433 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 7 real-world CVEs.