Difference between revisions of "Full Path Disclosure"

From OWASP
Jump to: navigation, search
(References)
Line 56: Line 56:
  
 
==References==
 
==References==
 +
 +
* http://www.acunetix.com/vulnerabilities/Full-path-disclosure.htm
  
 
*[http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org.]
 
*[http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org.]
*[http://www.enigmagroup.org/pages/view_articles/artID/175/ Original article location (registration required).]
 
  
 +
*[http://www.enigmagroup.org/pages/view_articles/artID/175/ Original article location (registration required).]
  
 
[[Category:Injection]]
 
[[Category:Injection]]
 
[[Category:Attack]]
 
[[Category:Attack]]
 
__NOTOC__
 
__NOTOC__

Revision as of 19:55, 23 June 2008

This is an Attack. To view all attacks, please see the Attack Category page.


Last revision (mm/dd/yy): 06/23/2008

Description

Full Path Disclosure (AKA, FPD) vulnerabilities enable the attacker to see the path to the webroot/file. Eg: /home/omg/htdocs/file/. Certain vulnerabilities such as using the load_file() (within an SQL injection) query to view page sources require the attacker to have the full path to the file they wish to view.



Examples

  • Empty Array

If we have a site that uses a method of requesting a page like this:

http://site.com/index.php?page=about

We can use a method of opening and closing braces and causing the page to output an error. This method would look like this:

http://site.com/index.php?page[]=about

This renders the page defunct thus spitting out an error:

Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131
  • Null Session Cookie

Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections. A simple injection using this method would look something like so:

javascript:void(document.cookie="PHPSESSID=");

By simply setting the PHPSESSID cookie to nothing (null) we get an error.

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2


Related Threat Agents

Category:Information Disclosure


Related Attacks


Related Vulnerabilities

Related Controls

This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.

error_reporting(0);


References