Difference between revisions of "Full Path Disclosure"

Jump to: navigation, search
Line 61: Line 61:
* [http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org.]
* [http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org.]
* [http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt Path Disclosure Vulnerability - Is it serious?]
* [http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt Path Disclosure Vulnerability - Is it serious?]
* [http://yehg.net/lab/pr0js/files.php/inspath.zip inspath(Internal Path Disclosure Finder) ]
* [http://yehg.net/lab/pr0js/files.php/inspath.zip inspath - Internal Path Disclosure Finder]

Revision as of 22:14, 20 September 2010

This is an Attack. To view all attacks, please see the Attack Category page.

Last revision: 09/20/2010


Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.

Risk Factors



Empty Array

If we have a site that uses a method of requesting a page like this:


We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:


This renders the page defunct thus spitting out an error:

Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131

Null Session Cookie

Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections. A simple injection using this method would look something like so:


By simply setting the PHPSESSID cookie to nothing (null) we get an error.

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.


Related Threat Agents

Related Attacks

Related Vulnerabilities

  • None

Related Controls