Unknown column 'settings_name' in 'where clause'
Notice: Undefined variable: data in /home/override/public_html/mobile/wap-maincore.php on line 284
SecurityOverride

SecurityOverride

Home Forum Articles Login

Latest Articles
Full Path Disclosure Vulnerabilities



What is a Full Path Disclosure vulnerability?





Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/.





How Full Path Disclosure (FPD) vulnerabilities work





The FPD vulnerability is executed by injecting unexpected characters into certain parameters of a web-page. The script doesn't expect the injected character and returns an error message that includes information of the error, as well as the operating path of the targeted script.





why are Full Path Disclosure vulnerabilities useful?





While FPD vulnerabilities are consisderd low risk, they can be used in conjunction with other exploiting techniques and can often be the key to a successful hack.




One example of such a relationship would be the use of an LFI (Local File Include) vulnerability partnered with FPD. With LFI, the attacker may not be able to find the containing folder for a certain file they wish to view (for example: config.php) or maybe the standard includes folder has been renamed. If an attacker can cause an error that will spit out the location of the folder, it would make the hack much faster, smoother and easier then trying to guess the path.





Examples






Empty Array



If we have a site that uses a method of requesting a page like this:








http://site.com/index.php?page=about






We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:








http://site.com/index.php?page[]=about





This renders the page defunct thus spitting out an error:








Warning: opendir(Array): failed to open dir: No such file or directory in /home/omg/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131









Null Session Cookie



Illegal Session Injection is made possible via changing the value of the session cookie to an invalid, or illegal character. There are many injectable characters that will result in the output of the operating path, but the most common, and most widely (un)supported is null characters; making the cookie value nothing. To inject a PHPSESSID cookie, use JavaScript injection and add the following line into your URL bar:








javascript:void(document.cookie="PHPSESSID=");





By simply setting the PHPSESSID cookie to nothing (null) we get an error.








Warning: session_start() [function.session-start]: The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2






FPD Prevention





Preventing an FPD injection without having an error handling / management system is as simple as disabling the display of error messages. This can be done in PHP's php.ini file, Apache's httpd.conf file, or via the PHP script itself:

php.ini:








display_errors = 'off'



httpd.conf/apache2.conf:








php_flag display_errors off



PHP script:








ini_set('display_errors', false);