https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=HaZedOWASP - User contributions [en]2026-04-26T00:26:06ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Full_Path_Disclosure&diff=28074Full Path Disclosure2008-04-15T15:56:32Z<p>HaZed: /* External References */</p>
<hr />
<div>==Overview==<br />
Full Path Disclosure (AKA, FPD) vulnerabilities enable the attacker to see the path to the webroot/file. Eg: /home/omg/htdocs/file/. Certain vulnerabilities such as using the load_file() (within an SQL injection) query to view page sources require the attacker to have the full path to the file they wish to view.<br />
<br />
==Severity==<br />
Low to Medium (circumstantial)<br />
<br />
==Exploit Likely-Hood==<br />
Extremely High<br />
<br />
==Examples==<br />
* '''Empty Array'''<br />
<br />
If we have a site that uses a method of requesting a page like this:<br />
<pre>http://site.com/index.php?page=about</pre><br />
We can use a method of opening and closing braces and causing the page to output an error. This method would look like this:<br />
<pre>http://site.com/index.php?page[]=about</pre><br />
This renders the page defunct thus spitting out an error:<br />
<pre>Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84<br />
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131</pre><br />
<br />
* '''Null Session Cookie'''<br />
<br />
Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections.<br />
A simple injection using this method would look something like so:<br />
<pre>javascript:void(document.cookie="PHPSESSID=");</pre><br />
By simply setting the PHPSESSID cookie to nothing (null) we get an error.<br />
<pre>Warning: session_start() [function.session-start]: The session id contains illegal characters, <br />
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre><br />
<br />
==Preventing==<br />
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.<br />
<pre>error_reporting(0);</pre><br />
<br />
==Related Threats==<br />
[[:Category:Information Disclosure]]<br />
<br />
==Related Attacks==<br />
*[[SQL Injection]]<br />
*[[Relative Path Traversal]]<br />
<br />
==Conclusion==<br />
It must be put across very clearly that this vulnerability in no way enables an attacker to gain full control of your website. However, this exploit often accompanies another, more serious one in which this will aid an attacker in controlling your website.<br />
<br />
==External References==<br />
*[http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org.]<br />
*[http://www.enigmagroup.org/pages/view_articles/artID/175/ Original article location (registration required).]<br />
<br />
[[Category:Injection]]<br />
[[Category:Attack]]</div>HaZedhttps://wiki.owasp.org/index.php?title=Full_Path_Disclosure&diff=28073Full Path Disclosure2008-04-15T15:54:49Z<p>HaZed: </p>
<hr />
<div>==Overview==<br />
Full Path Disclosure (AKA, FPD) vulnerabilities enable the attacker to see the path to the webroot/file. Eg: /home/omg/htdocs/file/. Certain vulnerabilities such as using the load_file() (within an SQL injection) query to view page sources require the attacker to have the full path to the file they wish to view.<br />
<br />
==Severity==<br />
Low to Medium (circumstantial)<br />
<br />
==Exploit Likely-Hood==<br />
Extremely High<br />
<br />
==Examples==<br />
* '''Empty Array'''<br />
<br />
If we have a site that uses a method of requesting a page like this:<br />
<pre>http://site.com/index.php?page=about</pre><br />
We can use a method of opening and closing braces and causing the page to output an error. This method would look like this:<br />
<pre>http://site.com/index.php?page[]=about</pre><br />
This renders the page defunct thus spitting out an error:<br />
<pre>Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84<br />
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131</pre><br />
<br />
* '''Null Session Cookie'''<br />
<br />
Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections.<br />
A simple injection using this method would look something like so:<br />
<pre>javascript:void(document.cookie="PHPSESSID=");</pre><br />
By simply setting the PHPSESSID cookie to nothing (null) we get an error.<br />
<pre>Warning: session_start() [function.session-start]: The session id contains illegal characters, <br />
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre><br />
<br />
==Preventing==<br />
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.<br />
<pre>error_reporting(0);</pre><br />
<br />
==Related Threats==<br />
[[:Category:Information Disclosure]]<br />
<br />
==Related Attacks==<br />
*[[SQL Injection]]<br />
*[[Relative Path Traversal]]<br />
<br />
==Conclusion==<br />
It must be put across very clearly that this vulnerability in no way enables an attacker to gain full control of your website. However, this exploit often accompanies another, more serious one in which this will aid an attacker in controlling your website.<br />
<br />
==External References==<br />
*[http://www.enigmagroup.org/ Articled summarised from Full Path Disclosure article by haZed on EnigmaGroup.org]<br />
<br />
[[Category:Injection]]<br />
[[Category:Attack]]</div>HaZed