CWE-219 Sensitive Data Under Web Root
What this means
SiteShadow flagged sensitive files being stored in a location that can be served by the web server (under the web root). If the path is guessable or indexed, the data can be downloaded without authentication.
Why it matters
Web-exposed files can be accessed without authentication.
- Direct data leaks: backups, exports,
.env, logs, database dumps. - Credential compromise: keys and tokens stored under web root are frequently harvested by scanners.
- Hard to notice: the app "works," but the server is also serving extra files.
Safer examples
1) Store secrets and uploads outside web root
Keep sensitive storage in non-public directories and serve through authenticated handlers when needed.
2) Use separate buckets/paths for public assets vs private data
Static assets can be public; uploads/backups/exports should not share that namespace.
3) Add server-side deny rules (defense-in-depth)
Configure your web server to deny access to sensitive patterns (.env, backups, logs) even if mislocated.
How SiteShadow detects it (high level)
- Flags common sensitive filenames/paths under known public directories (
public/,static/,www/). - Detects patterns where generated exports/uploads are written into web-served paths.
References
- CWE-219: https://cwe.mitre.org/data/definitions/219.html
---