Download Netsparker

Pages disclose Web Application PHP Source Code (Server-side Source code)

Netsparker identified a web page that discloses PHP (server side) source code. An attacker can obtain server side source code of web application, which can contain sensitive data such as database connection strings, usernames and passwords along with the technical and business logic of the application.


Depending on the source code, database connection strings, username and passwords, internal workings and business logic of application can be revealed. With such information an attacker can mount the following types of attacks:

  • Access the database or other data resources. Depending on the privileges of the account obtained from source code, it may be possible to read, update or delete arbitrary data from the database.
  • Gain access to password protected administrative mechanisms such as dashboards, management consoles and admin panels, hence gaining full control of the application.
  • Develop further attacks by investigating the source code for input validation errors and logic vulnerabilities.

Actions to Take

  • Where the file is not required delete it form the server, where such files are required ensure that its permissions prevent users from accessing it via the web server.
  • Ensure that the web server security patches are up to date and the latest stable version of the web server software is in use.
  • Remove all temporary and backup files from the server.

Required skills for successful exploitation

This is dependent on the information obtained from source code. Uncovering these forms of vulnerabilities does not require high levels of skills. However a highly skilled attacker could leverage this form of vulnerability to obtain account information for databases or administrative panels, ultimately leading to control of the application or even the host the application reside on.

External References

Go back to the Complete list of Vulnerability Checks.