Description

The web server is configured to include the "X-SourceFiles" HTTP response header, which discloses the full physical file system path of the application source code file that generated the response. This header is typically added by IIS during development or debugging and should not be present in production environments.

Remediation

Remove the "X-SourceFiles" header from HTTP responses by disabling debug mode and ensuring proper production configuration in IIS. This can be accomplished through the following steps:

1. Open IIS Manager and navigate to your application
2. Select "HTTP Response Headers"
3. Remove any custom "X-SourceFiles" header if present
4. Ensure the application is not running in debug mode by verifying the web.config file contains:

<configuration>
  <system.web>
    <compilation debug="false" />
  </system.web>
</configuration>

5. Alternatively, add a custom outbound rule in web.config to explicitly remove this header:
<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-SourceFiles" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

After making changes, restart the application pool and verify the header is no longer present in responses.

References

What does the X-SourceFiles header do?

Related Vulnerabilities

WordPress 4.2.x Multiple Vulnerabilities (4.2 - 4.2.8)

WordPress 5.2.x Multiple Vulnerabilities (5.2 - 5.2.16)

TYPO3 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2009-0815)

WordPress Plugin Email Subscribers by Icegram Express-Email Marketing, Newsletters, Automation for WordPress & WooCommerce Multiple Vulnerabilities (4.2.2)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-5487)

Severity

Low

Classification

CWE-200 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Configuration