1. Home
  2. CWE Database
  3. CWE-540
Base · Medium

CWE-540: Inclusion of Sensitive Information in Source Code

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

CWE-540 · Base Level ·3 CVEs ·1 Mitigations

Description

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords.

Potential Impact

Confidentiality

Read Application Data

Demonstrative Examples

The following code uses an include file to store database credentials:
database.inc
Bad
<?php$dbName = 'usersDB';$dbPassword = 'skjdh#67nkjd3$3$';?>
login.php
Bad
<?phpinclude('database.inc');$db = connectToDB($dbName, $dbPassword);$db.authenticateUser($username, $password);?>
If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password.
The following comment, embedded in a JSP, will be displayed in the resulting HTML output.
Bad
<!-- FIXME: calling this with more than 30 args kills the JDBC server -->

Mitigations & Prevention

Architecture and DesignSystem Configuration

Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2022-25512Server for Team Awareness Kit (TAK) application includes sensitive tokens in the JavaScript source code.
CVE-2022-24867The LDAP password might be visible in the html code of a rendered page in an IT Asset Management tool.
CVE-2007-6197Version numbers and internal hostnames leaked in HTML comments.

CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory

The product places sensitive information into files or directories that are accessible to actors who are allowed to have...

Frequently Asked Questions

What is CWE-540?

CWE-540 (Inclusion of Sensitive Information in Source Code) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

How can CWE-540 be exploited?

Attackers can exploit CWE-540 (Inclusion of Sensitive Information in Source Code) to read application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-540?

Key mitigations include: Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.

What is the severity of CWE-540?

CWE-540 is classified as a Base-level weakness (Medium abstraction). It has been observed in 3 real-world CVEs.