The website could have a custom specialized download page which allows users to download content. If vulnerable to source code disclosure, that page could be used to extract source code and configuration files.
The website has a PHP script called "download.php" which allows users to download specific files from server:
When used to download the file "document.doc", created link could look something like this:
If vulnerable to source code disclosure, the attacker could download source code of "download.php" file using the following URL:
- Using a whitelist of directories from which files are allowed for download and validate requests based on that list.
- Validate file types requested by users.
- Index files which are allowed for download and pass only their index numbers as the URL parameter values.