CWE-433: Unparsed Raw Web Content Delivery
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.
扩展描述
If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
潜在缓解措施
阶段: Architecture and Design
描述: Perform a type check before interpreting files.
阶段: Architecture and Design
描述: Do not store sensitive information in files which may be misinterpreted.
观察示例
参考: CVE-2002-1886
".inc" file stored under web document root and returned unparsed by the server
参考: CVE-2002-2065
".inc" file stored under web document root and returned unparsed by the server
参考: CVE-2005-2029
".inc" file stored under web document root and returned unparsed by the server
参考: CVE-2001-0330
direct request to .pl file leaves it unparsed
参考: CVE-2002-0614
.inc file
参考: CVE-2004-2353
unparsed config.conf file
参考: CVE-2007-3365
Chain: uppercase file extensions causes web server to return script source code instead of executing the script.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Unparsed Raw Web Content Delivery | - |