Invicti identified a possible source code disclosure (PHP).
An attacker can obtain server-side source code of the web application, which can contain sensitive data - such as database connection strings, usernames and passwords - along with the technical and business logic of the application.
- Access the database or other data resources. Depending on the privileges of the account obtained from the source code, it may be possible to read, update or delete arbitrary data from the database.
- Gain access to password protected administrative mechanisms such as dashboards, management consoles and admin panels, hence gaining full control of the application.
- Develop further attacks by investigating the source code for input validation errors and logic vulnerabilities.
- Confirm exactly what aspects of the source code are actually disclosed; due to the limitations of this type of vulnerability, it might not be possible to confirm this in all instances. Confirm this is not an intended functionality.
- If it is a file required by the application, change its permissions to prevent public users from accessing it. If it is not, then remove it from the web server.
- Ensure that the server has all the current security patches applied.
- Remove all temporary and backup files from the web server.
- Why Framework Choice Matters in Web Application Security
- Sven Morgenroth Talks About PHP Object Injection Vulnerabilities on Paul’s Security Weekly Podcast
- End of Support for PHP 5 and PHP 7.0
- The Powerful Resource of PHP Stream Wrappers
- Sven Morgenroth Talks About PHP Type Juggling on Paul’s Security Weekly Podcast