CWE-433 (Unparsed Raw Web Content Delivery) is a common software weakness type identified by MITRE's CWE dictionary.

What is the difference between CVE and CWE?

CWE refers to the type of software weakness (root cause), while CVE refers to a specific instance of a vulnerability in a product.

Back to CWE Database

CWE-433

Unparsed Raw Web Content Delivery

Weakness Description

The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server.

If code is stored in a file with an extension such as ".inc" or ".pl", and the web server does not have a handler for that extension, then the server will likely send the contents of the file directly to the requester without the pre-processing that was expected. When that file contains sensitive information such as database credentials, this may allow the attacker to compromise the application or associated components.

Potential Mitigations

Architecture and Design

Perform a type check before interpreting files.

Architecture and Design

Do not store sensitive information in files which may be misinterpreted.

Common Consequences

Confidentiality

Read Application Data

Related Weaknesses

CWE-219

Related Resources

Browse CWE Database

Explore 493 software weaknesses

CVE Database

Search 294,000+ vulnerabilities

Security Writeups

Learn from real-world examples

About 4nuxd

Cybersecurity research & tools

Get in touch for collaboration

Homepage

Explore more security resources