CWE-541: Inclusion of Sensitive Information in an Include File
Official CWE-541 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Glexia's Take
CWE-541: Inclusion of Sensitive Information in an Include File
Inclusion of Sensitive Information in an Include File represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Confidentiality: Read Application Data
Developer Pattern
CWE-541 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-541, 4.20.
Official CWE Definition
CWE-541: Inclusion of Sensitive Information in an Include File
If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- The following code uses an include file to store database credentials: database.inc,login.php,If the server does not have an explicit handler set for .inc files it may send the contents of database.inc to an attacker without pre-processing, if the attacker requests the file directly. This will expose the database name and password.
Remediation
- Architecture and Design: Do not store sensitive information in include files.
- Architecture and Design,System Configuration: Protect include files from being exposed.
Detection
- Code review
- SAST
- DAST
- Focused regression tests
Mappings
Related CVEs, CWEs, and ATT&CK context
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.