Full Path Disclosure
Last revision: 09/20/2010
Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.
If we have a site that uses a method of requesting a page like this:
We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:
This renders the page defunct thus spitting out an error:
Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84 Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131
Null Session Cookie
By simply setting the PHPSESSID cookie to nothing (null) we get an error.
Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
Related Threat Agents
- Error Handling
- Bounds Checking
- Safe Libraries
- Static Code Analysis
- Executable space protection
- Address space layout randomization (ASLR)
- Stack-smashing Protection (SSP)