What is Visible Detailed Error/Debug Page Full Path Disclosure Vulnerability?

Full Path Disclosure (FPD) flaws allow an attacker to view the path of the webroot/file. /home/omg/htdocs/file/, for example. Certain vulnerabilities, such as seeing the page source using the load file() (inside a SQL Injection) query, need the attacker to have the entire path to the file they desire to view.

The risks associated with FPD might result in a variety of consequences. For example, if the webroot is compromised, attackers may exploit the information by combining it with file inclusion vulnerabilities (see PHP File Inclusion) to steal configuration data for the web application or the rest of the operating system.

Warning: session_start() [function.session-start]: The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

In conjunction with, instance, unauthorized usage of the PHP function file get contents, the attacker has access to configuration files.

<?php
   echo file_get_contents(getcwd().$_GET['page']);
?>

An attacker can make a URL like this: http://exxxxample.org/index.php?page=../../../../../../../home/example/public_html/includes/config.php having an understanding of the FPD in conjunction with Relative Path Traversal.

ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.

Leave a Comment

Scroll to Top