+++++++++++++++++++++++++++++++++++++++++++++++++++ Path Disclosure Vulnerability - Is it serious? by Aung Khant, http://yehg.net +++++++++++++++++++++++++++++++++++++++++++++++++++ Path disclosure vulnerability is also known as full or internal path disclosure. Usually, it's not a vulnerability. It's more of informational risk. But sometimes, it's a clue to Local File Inclusion vulnerability. It may sometimes be due to web server application mis-configuration which reveals error messages to web site visitors. Sometimes, an application itself generates debugging error messages. It's prone to be more or less serious if the path disclosed turns out to be a sensitive one. Think of the following paths. 1./var/www/html Here, it is not a sensitive risk. The path is generally known by all as one of generic apache htdocs locations. In attacks like path traversal/local file inclusion, attackers will try all such generic locations and it's no wonder. 2. /home/vicky/public_html/ Here, the username vicky is disclosed. It allows attackers to bruteforce its password in ssh or ftp services. 3. /data/secrets/financial/ Here, the directory is outside of the webroot folder. Potentially sensitive information is likely to be stored at that location. After successfully compromising the server, attackers know where to look for sensitive information. From developers' of view, adding a check may add additional work or headache. Consider the following silly scenario: file4.php loads functions from file5.php file3.php loads functions from file4.php file2.php loads functions from file3.php file1.php loads functions from file2.php ... etc So, if you call file1.php directly from the browser, it will look for 1. file2.php which will look for 2. file3.php which will look for 3. file4.php which will look for 4. file5.php This is just a simple one-to-one inclusion. Complex web applications may require multiple complex inclusion for functions/libraries reuses. As a result, this issue should be handled at server-side at best. However, it's better to patch this hole if one can rather than blaming on the server configuration issue as we've seen lazy administrators out there who let users get hacked. Never expect/report developers to completely fix this issue. Let this open to attackers who can take advantage of it. _________________________________________________________________________________________________________ Path Disclosure FAQ From http://codex.wordpress.org/Security_FAQ - Why are there path disclosures when directly loading certain files? - This is considered a server configuration problem. Never enable display_errors on a production site. _________________________________________________________________________________________________________ Tool: inspath - http://yehg.net/lab/pr0js/files.php/inspath.zip