Dec.19
Why is Source Code Disclosure dangerous?
Why is Source Code Disclosure dangerous?
Source code often contains some form of sensitive information—whether it be configuration related information (e.g. database credentials) or simply information on how the web application functions. If disclosed, such information can potentially be used by an attacker to discover logical flaws and escalate into a subsequent chain of attacks which would not be possible without having access to the application’s source code. These may include attacks such as, SQL injection, database take overs and remote code execution.
It is common practice for web applications to serve non-HTML files, such as PDFs, image files and Word documents that are customized for a specific user.
Let’s take the below example where we have a simple web application http://www.example.com/. This web application is intended to allow users to download a PDF file through a hyperlink.
If we take a closer look, following the link makes an HTTP GET request to a download.php script which makes use of the filename parameter.
More specifically, the following request is sent when the link is clicked – http://www.example.com/download.php?filename=aboutus.pdf
Knowing this, we can take a closer look at the the filename parameter since it seems that the download.php script is designed to allow users to download a specific file from the server. Therefore, what would happen if we sent a request to download.php, passing ‘download.php’ as the value for the filename parameter instead of ‘aboutus.pdf’? The resulting URL would look as follows — http://www.example.com/download.php?filename=download.php
After sending the request, the file download.php is served to the browser, effectively revealing the source code of download.php and by looking through the source code, it’s evident that this occurred because the script is performing absolutely no user input validation.
<?php
// Import global config values
include('admin/config.php');
// Get the filename passed by the user
$filepath = $_GET['filename'];
if ($filepath) {
$connection = mysql_connect($cfg['DATABASE']['HOST'], $cfg['DATABASE']['UNAME'], $cfg['DATABASE']['PASS']);
mysql_select_db('logs', $connection);
if (!link) {
die('Could not connect: ' . mysql_error());
}
$user_agent = $_SERVER['HTTP_USER_AGENT'];
// Used by stats.php to track download trends
$sql = "INSERT INTO stats VALUES ('$filepath', now(), '$user_agent')";
$result = mysql_query($sql, $connection);
if (!$result) {
echo 'DB Error: ' . mysql_error($connection);
exit;
}
// Clean-up and send file
mysql_close($connection);
header('Content-Disposition: attachment; filename=' . basename($filepath));
readfile($filepath);
}
