CWE WEAKNESSES / CWE-219
CWE-219
Storage of File with Sensitive Data Under Web Root
Variant
What it is
The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.
Besides public-facing web pages and code, products may store sensitive data, code that is not directly invoked, or other files under the web document root of the web server. If the server is not configured or otherwise used to prevent direct access to those files, then attackers may obtain this sensitive data.
Impact
| Confidentiality | Read Application Data |
Mitigations
- [Implementation, System Configuration] Avoid storing information under the web root directory.
- [System Configuration] Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the web directory.
Real-world CVE examples
- CVE-2005-1835 — Data file under web root.
- CVE-2005-2217 — Data file under web root.
- CVE-2002-1449 — Username/password in data file under web root.
- CVE-2002-0943 — Database file under web root.
- CVE-2005-1645 — database file under web root.
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →