Detectify
Knowledge Base

Back to Knowledge Base

Support Center

Full Path Disclosure

Last Updated: Jul 25, 2016 11:53AM CEST

Full Path Disclosure refers to being able to see the full path of something hosted on the server. It’s often, but not always, the location of the script itself.

What can happen?

The information exposed is most often rather harmless, but may aid in other attacks such as Local File Inclusion. For example, the path may expose which CMS it's running, what web server the site is using and/or other sensitive information.

Example of Full Path Disclosure

Many server errors include the full path by default. An attacker can often force a server error in multiple ways, albeit two of the most common are PHP Null Session and Empty Array.

PHP Null Session

You can read about PHP Null Session here.

Empty Array

Say we had a page like this:
https://example.com/index.php?page=about

Now, if we turn the string page into an array instead, we will force PHP to generate an error that will disclose the location path of the script:
https://example.com/index.php?page[]=about

More examples

More examples can be found at OWASP.

Common False Positive

When a path is embedded in a blog or forum post, we will mark it as a vulnerability even though it’s just a text string. We’ve discussed this internally multiple times, but decided that an effort to try and filter out these findings would result in too many overlooked vulnerabilities. However, if you mark the finding as “accepted risk” or “false positive”, we will try to automatically filter it out for you in future scans so you won’t be bothered by it anymore.

Remediation

Make sure no auto-generated errors are shown to the end user and don’t include the path in your own customized ones.

Resources

Related articles

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete