Full Path Disclosure, also known as Internal Path Disclosure, is a vulnerability that allows an attacker to see the full internal path (or webroot) of a system, which can be used in other type of attacks such as SQL Injection (uploading files) or Local File Inclusion.

The following vulnerable PHP code, includes a page in to the web application:

The URL could look like this:

This will try to include the file about.php in to the web application and as long as the file exists, nothing will happen.

Now we modify the parameter file to something that does not exist, for example:

The following error message reveals the internal path:

The internal path (or webroot directory) is /var/www

Array Parameter Injection
Another method of disclosing a full path is Array Parameter Injection. This is possible when a script is formulating a call via the $_GET parameter. If the $_GET parameter is used in a function that expects a string, it will result in an error message.

By adding [] after the parameter name, the full path will be disclosed in the error message:

Null Sessions Cookie
A very reliable method of producing error messages that contain the full path, is to give the page a nulled session using a javascript injection. A simple injection may look like:

Invalid Session Cookie
A very long session could also produce error messages that contain the full path. A simple injection may look like:

To prevent this type of attack, error messages should not be displayed. This can be done in several ways:

php.ini

httpd.conf or apache2.conf

General PHP scripts

In production systems, error messages should always be turned off.

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0Email this to someonePin on Pinterest0Share on Reddit0Digg thisShare on Tumblr0Share on Yummly0Share on StumbleUpon0Flattr the author