Full Path Disclosure

(Reference #1002)

Description


Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/user/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.

Risk Factors


The risks regarding FPD may produce various outcomes. For example, if the webroot is getting leaked, attackers may abuse the knowledge and use it in combination with file inclusion vulnerabilites (see PHP File Inclusion) to steal configuration files regarding the web application or the rest of the operating system.

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2

In combination with, say, unproteced use of the PHP function file_get_contents, the attacker gets an opportunity to steal configuration files.

The source code of index.php:

<?php
   echo file_get_contents(getcwd().$_GET['page']);
?>

An attacker crafts a URL like so: http://example.com/index.php?page=../../../../../../../home/example/public_html/includes/config.php with the knowledge of the FPD in combination with Relative Path Traversal.

The leaked source code of config.php:

<?php
   //Hidden configuration file containing database credentials.
   $hostname = 'localhost';
   $username = 'root';
   $password = 'owasp_fpd';
   $database = 'example_site';
   $connector = mysql_connect($hostname, $username, $password);
   mysql_select_db($database, $connector);
?>

Disregarding the above sample, FPD can also be used to reveal the underlaying operation system by observing the file paths. Windows for instance always start with a drive-letter, e.g; C:\, while Unix based operating system tend to start with a single front slash.

*NIX:

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/alice/public_html/includes/functions.php on line 2

Microsoft Windows:

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in C:\Users\bob\public_html\includes\functions.php on line 2

The FPD may reveal a lot more than people normally might suspect. The two examples above reveal usernames on the operating systems as well; "alice" and "bob". Usernames are of course important pieces of credentials. Attackers can use those in many different ways, ranging all from bruteforcing over various protocols (SSH, Telnet, RDP, FTP...) to launching exploits requiring working usernames.

Examples


Empty Array

If we have a site that uses a method of requesting a page like this:

http://example.com/index.php?page=about

We can use a method of opening and closing braces that causes the page to output an error. This method would look like this:

http://example.com/index.php?page[]=about

This renders the page defunct thus spitting out an error:

Warning: opendir(Array): failed to open dir: No such file or directory in /home/user/htdocs/index.php on line 84
Warning: pg_num_rows(): supplied argument ... in /usr/home/example/html/pie/index.php on line 131

Null Session Cookie

Another popular and very reliable method of producing errors containing a FPD is to give the page a nulled session using JavaScript Injections. A simple injection using this method would look something like so:

javascript:void(document.cookie="PHPSESSID=");

By simply setting the PHPSESSID cookie to nothing (null) we get an error.

Warning: session_start() [function.session-start]: The session id contains illegal characters, 
valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2