Scribd
Upload
41 views3 pages

Open Source Web Security Platform

Vega detected fragments of text that match signatures of application source code being unintentionally output to remote clients, which can be a security vulnerability. This may occur when technologies like PHP allow code to be mixed with static content. Source code disclosure could reveal sensitive design details or database credentials to attackers. The developer should verify the output is source code and fix the issue.

Uploaded by

Marcos Jair Cuellar Arteaga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
41 views3 pages

Open Source Web Security Platform

Vega detected fragments of text that match signatures of application source code being unintentionally output to remote clients, which can be a security vulnerability. This may occur when technologies like PHP allow code to be mixed with static content. Source code disclosure could reveal sensitive design details or database credentials to attackers. The developer should verify the output is source code and fix the issue.

Uploaded by

Marcos Jair Cuellar Arteaga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Open Source Web Security Platform

Possible Source Code Disclosure


AT A GLANCE

Classification Information

Resource /

Risk Medium

REQUEST

GET /?wordfence_syncAttackData=1607582289.6709vbscript:-->">'>'"

RESOURCE CONTENT

Possible PHP code:


<?php bloginfo( 'charset' ); ?>

DISCUSSION

Vega has detected fragments of text that match signatures of application source code. Application source code
unintentedly visible to remote clients can be a security vulnerability. This can occur in applications using technologies
such as PHP and JSP, which allow for code to be mixed with static presentation content. For example, in-line code is
sometimes commented using HTML comments, resulting in it being transmitted to remote clients. For an attacker,
source code can reveal information about the nature of the application, such as its design or the use of third-party
components. Sometimes sensitive information, such as a database connection string, can be included in source
code.

IMPACT

Could result in disclosure of sensitive information to attackers.


Source code fragments can include information about the design/structure of the application,
including use of third-party components.
This information may not otherwise be easily known by an adversary.
Sometimes source code also contains highly sensitive information, such as passwords (database
connection strings).

REMEDIATION

The developer should verify that the output detected by Vega is in fact application source code.
The cause should be determined, and the material removed or prevented from being output.

REFERENCES

Some additional links with relevant information published by third-parties:

Information Leakage (OWASP)


CWE-540: Information Exposure through Source Code (Mitre)

Information Leakage (WASC)

Top

Open Source Web Security Platform


Possible Source Code Disclosure
AT A GLANCE

Classification Information

Resource /%23wpcf7-f1488-o1

Risk Medium

REQUEST

POST /%23wpcf7-f1488-o1 [_wpcf7=1488 _wpcf7_version=5.3vbscript:-->">'>'" _wpcf7_locale=en_US


_wpcf7_unit_tag=wpcf7-f1488-o1 _wpcf7_container_post=0 _wpcf7_posted_data_hash=1
_wpcf7_recaptcha_response=1 your-name=Joey [email protected] menu-773=1 ]

RESOURCE CONTENT

Possible PHP code:


<?php bloginfo( 'charset' ); ?>

DISCUSSION

Vega has detected fragments of text that match signatures of application source code. Application source code
unintentedly visible to remote clients can be a security vulnerability. This can occur in applications using technologies
such as PHP and JSP, which allow for code to be mixed with static presentation content. For example, in-line code is
sometimes commented using HTML comments, resulting in it being transmitted to remote clients. For an attacker,
source code can reveal information about the nature of the application, such as its design or the use of third-party
components. Sometimes sensitive information, such as a database connection string, can be included in source
code.

IMPACT

Could result in disclosure of sensitive information to attackers.


Source code fragments can include information about the design/structure of the application,
including use of third-party components.
This information may not otherwise be easily known by an adversary.
Sometimes source code also contains highly sensitive information, such as passwords (database
connection strings).

REMEDIATION
The developer should verify that the output detected by Vega is in fact application source code.
The cause should be determined, and the material removed or prevented from being output.

REFERENCES

Some additional links with relevant information published by third-parties:

Information Leakage (OWASP)

CWE-540: Information Exposure through Source Code (Mitre)

Information Leakage (WASC)

Top

You might also like