DefenseCode

Source Code Disclosure

Risk type:HIGH

Description:

The website could have a custom specialized download page which allows users to download content. If vulnerable to source code disclosure, that page could be used to extract source code and configuration files.

Example:

The website has a PHP script called "download.php" which allows users to download specific files from server:

http://www.victim.com/download.php

When used to download the file "document.doc", created link could look something like this:

http://www.victim.com/download.php?filename=document.doc

If vulnerable to source code disclosure, the attacker could download source code of "download.php" file using the following URL:

http://www.victim.com/download.php?filename=download.php

Mitigation:

  • Using a whitelist of directories from which files are allowed for download and validate requests based on that list.
  • Validate file types requested by users.
  • Index files which are allowed for download and pass only their index numbers as the URL parameter values.

Further reading:

http://www.secureyes.net/downloads/Source_Code_Disclosure_over_HTTP.pdf