Full path Disclosure
Hey everybody.Today we are going to talk about a very common web vulnerability "Full Path Disclosure".
Full Path Disclosure AKA, FPD vulnerabilities enable the attacker to see the internal path structure of an installation. Eg: /home/dir/htdocs/blahblah.
Severity:=Low to Medium
For FPD the severity level is said to be upto medium becoz usually, it's not a vulnerability. It's more of informational risk.
Most of the time it is not exploited itself.But it's a clue to exploitation of other web vulnerabilities like SQL injections loadfile() or LFI etc.
It may sometimes be due to web server application mis-configuration which reveals error messages to website
visitors. Sometimes, an application itself generates debugging error messages.
How To Generate An FPD Error:=
As i said before that FPD can be very useful in cases like SQL injections loadfile() or LFI.So what if you got a site vulnerable to SQL injections loadfile() or LFI but you dont know the root path.There is nothing you can do to it.Once you get the root path you can continue your digging.
Below we are going to discuss some common well known and few less known methods of generating errors for FPD.
If we have a site that uses a method of requesting a page like this:
We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:http://site.com/index.php?page=about
This renders the page defunct thus spitting out an error:Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131
2-Null Session Cookie
By simply setting the PHPSESSID cookie to nothing (null) we get an error.Warning: session_start() [function.session-start]: The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
Errors can contain useful information for site owner so instead of disabling the error reporting at all, it is possible to only hide errors from output by display_errors.
We can also use dorks to find the errors on a specific site.
Warning: * [function.*]: site:yourtargeritehere.
I prefer using bing.com for this purpose especially when i have to search full server for an error message.
ip:xxx.xxx.xxx.xx sql error
ip:xxx.xxx.xxx.xx fatal error
ip:xxx.xxx.xxx.xx warning [function.*]
The creativity of your dorks is upto you.
4-Using SQL Injection Loadfile()
This is also a very good possiblity.I am going to discuss it later in another tutorial.
How to Patch FPD:=
This vulnerability is prevented simply by turning error reporting off so your code does not spit out errors.
display_errors = 'off'
php_flag display_errors off