| VID |
21924 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A file with the appended extension .inc was found on the server. An .inc file is normally just an include file that is designed to be included into some other source file. ".inc" files typically define macros and other extraneous and reusable bits of code. An unwritten convention says that .inc files can be included multiple times within a source file and be generally included into source files using the #include compiler directive.
If these files contain program source, information such as server logic or ODBC/JDBC user ID and passwords may be revealed since this file extension may not be processed by the web server. This could allow a remote attacker to view the logic of the script and extract extremely useful information such as code bugs or logins and passwords.
* Platforms Affected:
Any HTTP server Any version
Any operating system Any version |
| Recommendation |
Consider the following recommendations:
- Remove the file if it is not needed.
- Restrict the directory permissions.
- Carefully rename .inc suffix to a value that is difficult to guess.
- Move it to a location not accessible from the outside. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
