SynopsisSource Code Disclosure
DescriptionScanner has detected server-side source code within the server's response.
Because all server side code should be executed by the server, it should never be seen by the client, however in some scenarios, using crafted requests it is possible to force the server into displaying the source code of the application without executing it. As the server-side source code often contains sensitive information, such as database connection strings or details into the application workflow, this can be extremely risky.
Cyber-criminals will attempt to discover pages that either accidentally or forcefully allow the server-side source code to be disclosed, to assist in discovering further vulnerabilities or sensitive information.
SolutionIt is important that input sanitisation be conducted to prevent application files (ASP, JSP, PHP or config files) from being called. It is also important that the file system permissions are correctly configured and that all unused files are removed from the web root. If this is not an option, then the vulnerable file should be removed from the server.