Full Path Disclosure

Last revision (mm/dd/yy): //

Description
Full Path Disclosure (AKA, FPD) vulnerabilities enable the attacker to see the path to the webroot/file. Eg: /home/omg/htdocs/file/. Certain vulnerabilities such as using the load_file (within an SQL injection) query to view page sources require the attacker to have the full path to the file they wish to view.

Risk Factors

 * Talk about the factors that make this attack likely or unlikely to actually happen
 * You can mention the likely technical impact of an attack
 * The [business impact] of an attack is probably conjecture, leave it out unless you're sure

Examples

 * Empty Array

If we have a site that uses a method of requesting a page like this: http://site.com/index.php?page=about We can use a method of opening and closing braces and causing the page to output an error. This method would look like this: http://site.com/index.php?page[]=about This renders the page defunct thus spitting out an error: Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84 Warning: pg_num_rows: supplied argument ... in /usr/home/example/html/pie/index.php on line 131


 * Null Session Cookie

Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections. A simple injection using this method would look something like so: javascript:void(document.cookie="PHPSESSID="); By simply setting the PHPSESSID cookie to nothing (null) we get an error. Warning: session_start [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

Related Threat Agents
Category:Information Disclosure

Related Attacks

 * SQL Injection
 * Relative Path Traversal

Related Controls
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors. error_reporting(0);