CWE-433 Variant Incomplete

Unparsed Raw Web Content Delivery

This vulnerability occurs when a web application stores unprocessed files—like configuration scripts or raw source code—in publicly accessible directories using file extensions the server doesn't…

Definition

What is CWE-433?

This vulnerability occurs when a web application stores unprocessed files—like configuration scripts or raw source code—in publicly accessible directories using file extensions the server doesn't recognize.
Web servers are configured to process certain file types (like .php or .asp) before sending them to users. When you place files with extensions like .inc, .config, .bak, or .old in a web-accessible folder, and the server doesn't have a handler for them, it treats them as plain text. The server then delivers the raw, unprocessed file content directly to anyone who requests it. This becomes critical when these files contain sensitive information such as database connection strings, API keys, internal comments, or backend logic. Attackers can easily discover and download these files, bypassing any intended security controls. To prevent this, always store supporting code and configuration files outside the web root or use server rules to explicitly block access to non-standard extensions.
Real-world impact

Real-world CVEs caused by CWE-433

  • CVE-2002-1886

    ".inc" file stored under web document root and returned unparsed by the server

  • CVE-2002-2065

    ".inc" file stored under web document root and returned unparsed by the server

  • CVE-2005-2029

    ".inc" file stored under web document root and returned unparsed by the server

  • CVE-2001-0330

    direct request to .pl file leaves it unparsed

  • CVE-2002-0614

    .inc file

  • CVE-2004-2353

    unparsed config.conf file

  • CVE-2007-3365

    Chain: uppercase file extensions causes web server to return script source code instead of executing the script.

How attackers exploit it

Step-by-step attacker path

  1. 1

    The following code uses an include file to store database credentials:

  2. 2

    database.inc

  3. 3

    login.php

  4. 4

    If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password.

Vulnerable code example

Vulnerable PHP

database.inc

Vulnerable PHP 
<?php
  $dbName = 'usersDB';
  $dbPassword = 'skjdh#67nkjd3$3$';
  ?>
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-433

  • Architecture and Design Perform a type check before interpreting files.
  • Architecture and Design Do not store sensitive information in files which may be misinterpreted.
Detection signals

How to detect CWE-433

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-433 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-433?

This vulnerability occurs when a web application stores unprocessed files—like configuration scripts or raw source code—in publicly accessible directories using file extensions the server doesn't recognize.

How serious is CWE-433?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-433?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-433?

Perform a type check before interpreting files. Do not store sensitive information in files which may be misinterpreted.

How does Plexicus detect and fix CWE-433?

Plexicus's SAST engine matches the data-flow signature for CWE-433 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-433?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/433.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-433

CWE-219 Parent

Storage of File with Sensitive Data Under Web Root

This vulnerability occurs when an application saves sensitive files, such as configuration data or private keys, inside the web server's…

Resources

Further reading

Ready when you are

Stop paying per developer.
Start closing the loop.

Plexicus is the AI-native ASPM that scans, filters, fixes, pentests, and explains — autonomously. Unlimited developers, unlimited repos, fair-use AI actions. Real free tier, €269/mo annual when you're ready.

Get started free Book a demo