Source code disclosure

Medium Web Application Scanning Plugin ID 98098

Synopsis

Source code disclosure

Description

A modern web application will be reliant on several different programming languages.

These languages can be broken up in two flavours. These are client-side languages
(such as those that run in the browser -- like JavaScript) and server-side
languages (which are executed by the server -- like ASP, PHP, JSP, etc.) to form
the dynamic pages (client-side code) that are then sent to the client.

Because all server side code should be executed by the server, it should never be
seen by the client. However in some scenarios, it is possible that:

1. The server side code has syntax errors and therefore is not executed by the
server but is instead sent to the client.
2. Using crafted requests it is possible to force the server into displaying the
source code of the application without executing it.

As the server-side source code often contains sensitive information, such as
database connection strings or details into the application workflow, this can be
extremely risky.

Cyber-criminals will attempt to discover pages that either accidentally or
forcefully allow the server-side source code to be disclosed, to assist in
discovering further vulnerabilities or sensitive information.

Scanner has detected server-side source code within the server's response.

_(False positives may occur when requesting binary files such as images
(.JPG or .PNG) and may require manual verification.)_

Solution

It is important that input sanitisation be conducted to prevent application files (ASP, JSP, PHP or config files) from being called. It is also important that the file system permissions are correctly configured and that all unused files are removed from the web root.
If these are not an option, then the vulnerable file should be removed from the server.

See Also

http://cwe.mitre.org/data/definitions/540.html

Plugin Details

Severity: Medium

ID: 98098

Type: remote

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference Information