If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.
cwe_Nature: ChildOf cwe_CWE_ID: 540 cwe_View_ID: 1000 cwe_Ordinal: Primary
cwe_Nature: ChildOf cwe_CWE_ID: 540 cwe_View_ID: 699 cwe_Ordinal: Primary
|Confidentiality||Read Application Data|
Do not store sensitive information in include files.
Protect include files from being exposed.
The following code uses an include file to store database credentials:
If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password. Note this is also an example of CWE-433.