Unparsed Raw Web Content Delivery

Description

This vulnerability occurs when a web application stores unprocessed files—like configuration scripts or raw source code—in publicly accessible directories using file extensions the server doesn't recognize.

Extended Description

Web servers are configured to process certain file types (like .php or .asp) before sending them to users. When you place files with extensions like .inc, .config, .bak, or .old in a web-accessible folder, and the server doesn't have a handler for them, it treats them as plain text. The server then delivers the raw, unprocessed file content directly to anyone who requests it. This becomes critical when these files contain sensitive information such as database connection strings, API keys, internal comments, or backend logic. Attackers can easily discover and download these files, bypassing any intended security controls. To prevent this, always store supporting code and configuration files outside the web root or use server rules to explicitly block access to non-standard extensions.

Common Consequences 1

Scope: Confidentiality

Impact: Read Application Data

Potential Mitigations 2

Phase: Architecture and Design

Perform a type check before interpreting files.

Phase: Architecture and Design

Do not store sensitive information in files which may be misinterpreted.

Demonstrative Examples 1

ID : DX-104

The following code uses an include file to store database credentials:

database.inc

Code Example:Bad
PHP
php

Code Example:Bad
PHP
php

If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password.

Observed Examples 7

CVE-2002-1886".inc" file stored under web document root and returned unparsed by the server

CVE-2002-2065".inc" file stored under web document root and returned unparsed by the server

CVE-2005-2029".inc" file stored under web document root and returned unparsed by the server

CVE-2001-0330direct request to .pl file leaves it unparsed

CVE-2002-0614.inc file

CVE-2004-2353unparsed config.conf file

CVE-2007-3365Chain: uppercase file extensions causes web server to return script source code instead of executing the script.

References 1

The Art of Software Security Assessment

Mark Dowd, John McDonald, and Justin Schuh

Addison Wesley

2006

ID: REF-62

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Operation

Related Weaknesses

ChildOf:

Storage of File with Sensitive Data Under Web Root (CWE-219)

Taxonomy Mapping

PLOVER

Notes

RelationshipThis overlaps direct requests (Direct Request ('Forced Browsing')), alternate path (Improper Protection of Alternate Path), permissions (Permission Issues), and sensitive file under web root (Storage of File with Sensitive Data Under Web Root).