Unknown column 'settings_name' in 'where clause'
Notice: Undefined variable: data in /home/override/public_html/mobile/wap-maincore.php on line 284
|Full Path Disclosure Vulnerabilities|
What is a Full Path Disclosure vulnerability?
Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/.
How Full Path Disclosure (FPD) vulnerabilities work
The FPD vulnerability is executed by injecting unexpected characters into certain parameters of a web-page. The script doesn't expect the injected character and returns an error message that includes information of the error, as well as the operating path of the targeted script.
why are Full Path Disclosure vulnerabilities useful?
If we have a site that uses a method of requesting a page like this:
We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:
This renders the page defunct thus spitting out an error:
Null Session Cookie
By simply setting the PHPSESSID cookie to nothing (null) we get an error.
Preventing an FPD injection without having an error handling / management system is as simple as disabling the display of error messages. This can be done in PHP's php.ini file, Apache's httpd.conf file, or via the PHP script itself: