Jump to content

Check out our Community Blogs

Register and join over 40,000 other developers!

Recent Status Updates

View All Updates

- - - - -

PHP - Full Path Disclosure


  • Please log in to reply
2 replies to this topic

#1 brokenbylaw


    CC Resident

  • Just Joined
  • PipPipPipPip
  • 57 posts

Posted 01 March 2010 - 10:27 PM

I will explain one vulnerability in PHP and hopefully more if this tutorial is liked :P


FPD (full path disclosure) What is it?

Basically it reveals the full operating url of a script, it returns an error displaying sometimes critical information, php being kind loves to be descriptive so it will come in use if say, your calling another php script for authentication.

While the risk is said to be petty, I believe it can become severe if your trying to hide something, even though its a very simple fix.


The above script is very basic, imagine it being in a login script :)

upon viewing the page it /should/ be blank, lets look behind the scenes, there are a couple of ways, i will reveal two of my most common.

Firefox with the LiveHttpHeaders addon

and javascript

So there is a valid session going on, lets corrupt it :)


choose your weapon, the second one is visible.


Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in www\session_test.php on line 2

So there you go, as you can see it discloses what function is being used, the line number, and the file :)

to fix this, hmmm

display_errors = 'off'

php_flag  display_errors  off

and there are a couple inscript methods, use the php docs :) or just ask.


What do I need to improve in tutorials?

  • 0

#2 sheva249


    CC Lurker

  • Just Joined
  • Pip
  • 5 posts

Posted 08 April 2010 - 09:28 PM

Thanks a lot for sharing with us.
  • 0

#3 kiddies


    CC Addict

  • Advanced Member
  • PipPipPipPipPip
  • 129 posts

Posted 09 April 2010 - 06:45 AM

this tutor for how to found a vulnerability or to secure fdp?????

but its nice tutor bro....
  • 0

Also tagged with one or more of these keywords: authentication

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download