01Summary
This weakness occurs when an application stores sensitive information—such as database credentials, API keys, private keys, or user data—in files placed within the web-accessible directory. Because these files are under the web root, they can be retrieved directly via HTTP requests, bypassing any application-level access controls. An attacker who discovers or guesses the file path can download the sensitive data without authentication.
02How It Happens
Developers sometimes store configuration files, backups, or temporary data in directories that are meant to be served by the web server. This happens when the distinction between "files the application needs to read" and "files the web server should serve" becomes blurred. Common scenarios include:
- Placing .env files, config.php, or settings.ini in the document root or a subdirectory
- Storing database dumps or CSV exports in a publicly accessible uploads/ or backups/ folder
- Leaving private keys, certificates, or credentials in a keys/ or certs/ directory under the web root
- Committing sensitive files to version control and deploying the entire .git/ directory to the server
The core issue is that the web server's document root is configured to serve everything within it, and no additional access control (file permissions, .htaccess rules, or application-level checks) prevents direct HTTP retrieval.
03Real-World Impact
An attacker can directly request the sensitive file via a browser or automated tool and receive its contents. This can lead to:
- Credential compromise:
Database passwords, API keys, or service account credentials exposed, allowing attackers to access backend systems.
- Data breach:
Unencrypted user data, PII, or business information downloaded in bulk.
- Account takeover:
Private keys or session tokens stolen and used to impersonate legitimate users or administrators.
- Further exploitation:
Configuration details revealing internal architecture, software versions, or other systems that can be targeted.
06Signs You May Already Be Affected
Check your web server logs for HTTP requests to files like config.php, .env, settings.ini, backup.sql, or private.key. Unexpected 200 (success) responses to these requests suggest the files are accessible. Additionally, review your web root directory listing: if you see configuration files, database dumps, or private keys, they should be moved outside the web root immediately.