PHP - Full Path Disclosure

**brokenbylaw** · 03-01-2010, 07:05 PM

I will explain one vulnerability in PHP and hopefully more if this tutorial is liked

FPD (full path disclosure) What is it?

Basically it reveals the full operating url of a script, it returns an error displaying sometimes critical information, php being kind loves to be descriptive so it will come in use if say, your calling another php script for authentication.

While the risk is said to be petty, I believe it can become severe if your trying to hide something, even though its a very simple fix.
__________________

Code:


<?php

session_start();

?>

The above script is very basic, imagine it being in a login script

upon viewing the page it /should/ be blank, lets look behind the scenes, there are a couple of ways, i will reveal two of my most common.

Firefox with the LiveHttpHeaders addon

and javascript

Code:

javascript:alert(document.cookie);

So there is a valid session going on, lets corrupt it

Code:

javascript:void(document.cookie="PHPSESSID=");

+++OR+++

javascript:alert(document.cookie="PHPSESSID=");

choose your weapon, the second one is visible.

refresh.and.look

Code:

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in www\session_test.php on line 2

So there you go, as you can see it discloses what function is being used, the line number, and the file

to fix this, hmmm

php.ini

Code:

display_errors = 'off'

httpd.conf

Code:

php_flag  display_errors  off

and there are a couple inscript methods, use the php docs

or just ask.

later!!

**_jenn** · 02-09-2012, 09:58 PM

hey everyone,

just inquiring, is there a way to see all the files in www.tru.ca/__shared/assets/ ??

i want to know if there would be any modules for my homework that will help me for my exam. i know there was a file that was uploaded there: http://www.tru.ca/__shared/assets/ol...6-23422681.pdf

if anyone could let me know, itd be much appreciated! =]

**Alexander** · 02-10-2012, 01:36 AM

Originally Posted by _jenn

hey everyone,

just inquiring, is there a way to see all the files in www.tru.ca/__shared/assets/ ??

i want to know if there would be any modules for my homework that will help me for my exam. i know there was a file that was uploaded there: www.tru.ca/__shared/assets/ol_2010calendar_p106-23422681.pdf

if anyone could let me know, itd be much appreciated! =]

Jenn, we do not facilitate learning, nor are accepting of cheating or hacking in this manner. As my personal opinion: Ask the teacher for aid if you have found the course work to be not sufficient enough to complete an examination on it.

**WingedPanther** · 02-11-2012, 04:32 PM

Most websites are configured to NOT allow you to see all the files in a folder. It's entirely possible it's a virtual folder, which means the contents are in a database, and there's nothing to browse.