Difference between revisions of "Full Path Disclosure"

From OWASP
Jump to: navigation, search
(Related Threat Agents)
 
(28 intermediate revisions by 6 users not shown)
Line 2: Line 2:
  
 
Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
 +
<br>
 +
[[Category:OWASP ASDR Project]]
  
 
==Description==
 
==Description==
 +
Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file.  e.g.: /home/omg/htdocs/file/.
 +
Certain vulnerabilities, such as using the load_file() (within a [[SQL Injection]]) query to view the page source, require the attacker to have the full path to the file they wish to view.
  
Full Path Disclosure (AKA, FPD) vulnerabilities enable the attacker to see the path to the webroot/file.  Eg: /home/omg/htdocs/file/.  
+
==Risk Factors==
Certain vulnerabilities such as using the load_file() (within an SQL injection) query to view page sources require the attacker to have the full path to the file they wish to view.
+
The risks regarding FPD may produce various outcomes. For example, if the webroot is getting leaked, attackers may abuse the knowledge and use it in combination with file inclusion vulnerabilites (see [https://www.owasp.org/index.php/PHP_File_Inclusion PHP File Inclusion]) to steal configuration files regarding the web application or the rest of the operating system.
 +
<pre>
 +
Warning: session_start() [function.session-start]: The session id contains illegal characters,
 +
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
 +
</pre>
  
 +
In combination with, say, unproteced use of the PHP function file_get_contents, the attacker gets an opportunity to steal configuration files.
  
 +
'''The sourcecode of index.php:'''
 +
<pre>
 +
<?php
 +
  echo file_get_contents(getcwd().$_GET['page']);
 +
?>
 +
</pre>
  
 +
An attacker crafts a URL like so: [http://site.com/index.php?page=../../../../../../../home/example/public_html/includes/config.php http://site.com/index.php?page=../../../../../../../home/example/public_html/includes/config.php] with the knowledge of the FPD in combination with [https://www.owasp.org/index.php/Relative_Path_Traversal Relative Path Traversal].
 +
 +
'''The leaked sourcecode of config.php:'''
 +
<pre>
 +
<?php
 +
  //Hidden configuration file containing database credentials.
 +
  $hostname = 'localhost';
 +
  $username = 'root';
 +
  $password = 'owasp_fpd';
 +
  $database = 'example_site';
 +
  $connector = mysql_connect($hostname, $username, $password);
 +
  mysql_select_db($database, $connector);
 +
?>
 +
</pre>
 +
Disregarding the above sample, FPD can also be used to reveal the underlaying operation system by observing the file paths.
 +
Windows for instance always start with a drive-letter, e.g; C:\, while Unix based operating system tend to start with a single front slash.
 +
 +
'''*NIX:'''
 +
<pre>
 +
Warning: session_start() [function.session-start]: The session id contains illegal characters,
 +
valid characters are a-z, A-Z, 0-9 and '-,' in /home/alice/public_html/includes/functions.php on line 2
 +
</pre>
 +
 +
'''Microsoft Windows:'''
 +
<pre>
 +
Warning: session_start() [function.session-start]: The session id contains illegal characters,
 +
valid characters are a-z, A-Z, 0-9 and '-,' in C:\Users\bob\public_html\includes\functions.php on line 2
 +
</pre>
 +
 +
The FPD may reveal a lot more than people normally might suspect. The two examples above reveal usernames on the operating systems as well; "'''alice'''" and "'''bob'''".
 +
Usernames are of course important pieces of credentials. Attackers can use those in many different ways, ranging all from bruteforcing over various protocols (SSH, Telnet, RDP, FTP...) to launching exploits requiring working usernames.
  
 
==Examples==
 
==Examples==
  
'''Empty Array'''
+
'''Empty Array'''
  
 
If we have a site that uses a method of requesting a page like this:
 
If we have a site that uses a method of requesting a page like this:
 
<pre>http://site.com/index.php?page=about</pre>
 
<pre>http://site.com/index.php?page=about</pre>
We can use a method of opening and closing braces and causing the page to output an error.  This method would look like this:
+
We can use a method of opening and closing braces that causes the page to output an error.  This method would look like this:
 
<pre>http://site.com/index.php?page[]=about</pre>
 
<pre>http://site.com/index.php?page[]=about</pre>
 
This renders the page defunct thus spitting out an error:
 
This renders the page defunct thus spitting out an error:
Line 23: Line 70:
 
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131</pre>
 
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131</pre>
  
'''Null Session Cookie'''
+
'''Null Session Cookie'''
  
Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections.
+
Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using JavaScript Injections.
 
A simple injection using this method would look something like so:
 
A simple injection using this method would look something like so:
 
<pre>javascript:void(document.cookie="PHPSESSID=");</pre>
 
<pre>javascript:void(document.cookie="PHPSESSID=");</pre>
Line 32: Line 79:
 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre>
 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre>
  
 +
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
 +
<pre>error_reporting(0);</pre>
 +
Errors can contain useful information for site owner so instead of disabling the error reporting at all, it is possible to only hide errors from output by [http://www.php.net/errorfunc.configuration#ini.display-errors display_errors].
  
==Related [[Threat Agents]]==
+
'''Invalid Session Cookie'''
  
* [[:Category: Insider]]
+
As a complement to the Null Session Cookie, a very long session could also produce an error containing FPD.
 +
This could also be accomplished using a JavaScript injection like so:
 +
<pre>javascript:void(document.cookie='PHPSESSID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');</pre>
 +
By simply setting the PHPSESSID cookie to 129 bytes or more, PHP may spit out a warning.
  
==Related [[Attacks]]==
+
Another approach would be to to set the PHPSESSID cookie data to one of the reserved bytes.
 +
<pre>javascript:void(document.cookie='PHPSESSID=.');</pre>
  
*[[SQL Injection]]
+
Both variants result in the following.
*[[Relative Path Traversal]]
+
<pre>Warning: session_start(): The session id is too long or contains illegal characters,
 +
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre>
  
 +
The same remedy as for Null Session Cookie may be applied here.
 +
Errors may be hidden from the output by [http://www.php.net/errorfunc.configuration#ini.display-errors display_errors].
  
==Related [[Vulnerabilities]]==
+
'''Direct Access to files that requires preloaded library files'''
  
 +
Web application developers sometimes fail to add safe checks in files that requires preloaded library/function files.
 +
This is prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to Local File Inclusion vulnerability. 
  
 +
Concerning with Mambo CMS, if we access to a direct url, http://site.com/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php, then we gets
  
 +
<pre>
 +
<br />
 +
<b>Fatal error</b>:  Class 'SpellChecker' not found in <b>/home/victim/public_html/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php</b> on line <b>9</b><br />
 +
</pre>
  
==Related [[Controls]]==
 
  
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
+
==Tool==
<pre>error_reporting(0);</pre>
+
  
 +
The above three checks can be done with the aid of [https://code.google.com/p/inspathx/ inspathx] tool.
  
==References==
+
==Related [[Threat Agents]]==
 +
* [[internal software developer]]
  
* http://www.acunetix.com/vulnerabilities/Full-path-disclosure.htm
+
==Related [[Attacks]]==
 +
* [[SQL Injection]]
 +
* [[Relative Path Traversal]]
  
*[http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org.]
+
==Related [[Vulnerabilities]]==
 +
* None
 +
 
 +
==Related [[Controls]]==
 +
* [[Error Handling]]
 +
* [[Bounds Checking]]
 +
* [[Safe Libraries]]
 +
* [[Static Code Analysis]]
 +
* [[Executable space protection]]
 +
* [[Address space layout randomization (ASLR)]]
 +
* [[Stack-smashing Protection (SSP)]]
 +
 
 +
 
 +
==References==
 +
* http://www.acunetix.com/vulnerabilities/Full-path-disclosure.htm
 +
* [http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org.]
 +
* [http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt Path Disclosure Vulnerability - Is it serious?]
 +
* [http://yehg.net/lab/pr0js/files.php/inspath.zip inspathx - Internal Path Disclosure Finder]
  
*[http://www.enigmagroup.org/pages/view_articles/artID/175/ Original article location (registration required).]
 
  
 
[[Category:Injection]]
 
[[Category:Injection]]
 
[[Category:Attack]]
 
[[Category:Attack]]
 
__NOTOC__
 
__NOTOC__

Latest revision as of 16:28, 8 November 2012

This is an Attack. To view all attacks, please see the Attack Category page.


Last revision: 11/8/2012


Description

Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.

Risk Factors

The risks regarding FPD may produce various outcomes. For example, if the webroot is getting leaked, attackers may abuse the knowledge and use it in combination with file inclusion vulnerabilites (see PHP File Inclusion) to steal configuration files regarding the web application or the rest of the operating system.

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

In combination with, say, unproteced use of the PHP function file_get_contents, the attacker gets an opportunity to steal configuration files.

The sourcecode of index.php:

<?php
   echo file_get_contents(getcwd().$_GET['page']);
?>

An attacker crafts a URL like so: http://site.com/index.php?page=../../../../../../../home/example/public_html/includes/config.php with the knowledge of the FPD in combination with Relative Path Traversal.

The leaked sourcecode of config.php:

<?php
   //Hidden configuration file containing database credentials.
   $hostname = 'localhost';
   $username = 'root';
   $password = 'owasp_fpd';
   $database = 'example_site';
   $connector = mysql_connect($hostname, $username, $password);
   mysql_select_db($database, $connector);
?>

Disregarding the above sample, FPD can also be used to reveal the underlaying operation system by observing the file paths. Windows for instance always start with a drive-letter, e.g; C:\, while Unix based operating system tend to start with a single front slash.

*NIX:

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/alice/public_html/includes/functions.php on line 2

Microsoft Windows:

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in C:\Users\bob\public_html\includes\functions.php on line 2

The FPD may reveal a lot more than people normally might suspect. The two examples above reveal usernames on the operating systems as well; "alice" and "bob". Usernames are of course important pieces of credentials. Attackers can use those in many different ways, ranging all from bruteforcing over various protocols (SSH, Telnet, RDP, FTP...) to launching exploits requiring working usernames.

Examples

Empty Array

If we have a site that uses a method of requesting a page like this:

http://site.com/index.php?page=about

We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:

http://site.com/index.php?page[]=about

This renders the page defunct thus spitting out an error:

Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131

Null Session Cookie

Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using JavaScript Injections. A simple injection using this method would look something like so:

javascript:void(document.cookie="PHPSESSID=");

By simply setting the PHPSESSID cookie to nothing (null) we get an error.

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.

error_reporting(0);

Errors can contain useful information for site owner so instead of disabling the error reporting at all, it is possible to only hide errors from output by display_errors.

Invalid Session Cookie

As a complement to the Null Session Cookie, a very long session could also produce an error containing FPD. This could also be accomplished using a JavaScript injection like so:

javascript:void(document.cookie='PHPSESSID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');

By simply setting the PHPSESSID cookie to 129 bytes or more, PHP may spit out a warning.

Another approach would be to to set the PHPSESSID cookie data to one of the reserved bytes.

javascript:void(document.cookie='PHPSESSID=.');

Both variants result in the following.

Warning: session_start(): The session id is too long or contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

The same remedy as for Null Session Cookie may be applied here. Errors may be hidden from the output by display_errors.

Direct Access to files that requires preloaded library files

Web application developers sometimes fail to add safe checks in files that requires preloaded library/function files. This is prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to Local File Inclusion vulnerability.

Concerning with Mambo CMS, if we access to a direct url, http://site.com/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php, then we gets

<br />
<b>Fatal error</b>:  Class 'SpellChecker' not found in <b>/home/victim/public_html/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php</b> on line <b>9</b><br />


Tool

The above three checks can be done with the aid of inspathx tool.

Related Threat Agents

Related Attacks

Related Vulnerabilities

  • None

Related Controls


References