Full Path Disclosure
Last revision: 12/25/2010
Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.
If we have a site that uses a method of requesting a page like this:
We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:
This renders the page defunct thus spitting out an error:
Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84 Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131
Null Session Cookie
By simply setting the PHPSESSID cookie to nothing (null) we get an error.
Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
Direct Access to files that requires preloaded library files
Web application developers sometimes fail to add safe checks in files that requires preloaded library/function files. This is prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to Local File Inclusion vulnerability.
Concerning with Mambo CMS, if we access to a direct url, http://site.com/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php, then we gets
<br /> <b>Fatal error</b>: Class 'SpellChecker' not found in <b>/home/victim/public_html/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php</b> on line <b>9</b><br />
The kind of check can easily be done by developers with the aid of inspathx tool.
Related Threat Agents
- Error Handling
- Bounds Checking
- Safe Libraries
- Static Code Analysis
- Executable space protection
- Address space layout randomization (ASLR)
- Stack-smashing Protection (SSP)