CWE-219 Sensitive Data Under Web Root
Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.
What this means
SiteShadow flagged sensitive files being stored in a location that can be served by the web server (under the web root). If the path is guessable or indexed, the data can be downloaded without authentication.
Why it matters
Web-exposed files can be accessed without authentication.
- Direct data leaks: backups, exports,
.env, logs, database dumps. - Credential compromise: keys and tokens stored under web root are frequently harvested by scanners.
- Hard to notice: the app "works," but the server is also serving extra files.
Safer examples
1) Store secrets and uploads outside web root
Keep sensitive storage in non-public directories and serve through authenticated handlers when needed.
2) Use separate buckets/paths for public assets vs private data
Static assets can be public; uploads/backups/exports should not share that namespace.
3) Add server-side deny rules (defense-in-depth)
Configure your web server to deny access to sensitive patterns (.env, backups, logs) even if mislocated.
How SiteShadow detects it (high level)
- Flags common sensitive filenames/paths under known public directories (
public/,static/,www/). - Detects patterns where generated exports/uploads are written into web-served paths.
References
- CWE-219: https://cwe.mitre.org/data/definitions/219.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.