Full Path Disclosure

From Hakipedia
Jump to: navigation, search

Full Path Disclosure (FPD) is the revelation of the full operating path of a vulnerable script. The FPD bug is executed by injecting unexpected characters into certain parameters of a web-page. The script doesn't expect the injected character and returns an error message that includes information of the error, as well as the operating path of the targeted script.

FPD vulnerabilities are generally observed as low risk threats, too often overlooked by web-masters as nothing to worry about, or features of the scripting language. While the latter is true, only the web-master should see the output of the error messages, and log them as appropriate; an attacker should never see the output of an error message within a web-page.

Severity

Low to Medium (circumstantial).

Exploit Likeliness

Extremely High.

The Use of FPD's

While FPD vulnerabilities are generally perceived as low risk, they can often be used in conjunction with other exploiting techniques and can mean the difference between a successful hack and a flop.

One example of such a relationship would be the use of an LFI vulnerability partnered with FPD. With LFI alone (whether via the conventional include method, or via an SQL injection with load_file()), the attacker may not be able to find the containing folder for a configuration file they wish to view, or maybe the standard includes folder(s) ha[s|ve] been renamed.

If an attacker can cause an error that will output the location of an important file or folder, they may be able to read the contents of an SQL configuration file, and in-turn, gain full access to the database.

While FPD's are generally used in concurrence with other attack methods, they can, at times be all an attacker needs to gain access to a database or server. An example of this would be the use of a flat-file web-application. The web-application may be vulnerable to a full path disclosure which echoes the location of a flat file database; this may include administrative information such as administration panel passwords, email addresses, or user passwords.

FPD Execution

Full Path Disclosures are the result of a script lacking an error management system. They are a feature within the coding language designed to help debug any errors that occur during the life-cycle of the script. FPD's can be executed by simply injecting an input that the script does not know how to handle.

Array[] Parameter Injection

Array[] Parameter Injection is made possible when a script is devising a call via the $_GET parameter. If the $_GET parameter is wrapped in a function that expects a string—for instance, htmlentities() or opendir()—but receives an array, it will result in an error message. The output of the error message will look similar to the following:

Warning: htmlentities() expects parameter 1 to be string, array given in /var/www/foobar.php on line 16

As the function is expecting that parameter to be a string, the result of the given array will render the parameter call defunct, outputting only the error from the function.

Illegal Session Injection

Illegal Session Injection is made possible via changing the value of the session cookie to an invalid, or illegal character. There are many injectable characters that will result in the output of the operating path, but the most common, and most widely (un)supported is null characters; making the cookie value nothing. To inject a PHPSESSID cookie, use JavaScript injection via the URL bar:

javascript:void(document.cookie="PHPSESSID=");

Once the injection has been executed, a page refresh is required. If the injection is successful, it will result in an error message similar to the following:

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /var/www/foobar.php on line 3

As the session_start() function is not expecting the illegal characters, it results in a warning resulting in a full path disclosure.


Direct Access to files that requires preloaded library files

Web application developers sometimes fail to add safe checks in files that requires preloaded library/function files. This is prone to reveal possible sensitive information when those applications' URLs are directly requested. Sometimes, it's a clue to Local File Inclusion vulnerability.

Concerning with Mambo CMS, if we access to a direct url, http://site.com/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php, then we gets

<br />
<b>Fatal error</b>:  Class 'SpellChecker' not found in <b>/home/victim/public_html/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php</b> on line <b>9</b><br />

This kind of check can easily be done by developers with the aid of inspathx tool.

FPD Prevention

Preventing an FPD injection without having an error handling / management system is as simple as disabling the display of error messages. This can be done in PHP's php.ini file, Apache's httpd.conf file, or via the PHP script itself:

php.ini:

display_errors = 'off'

httpd.conf/apache2.conf:

php_flag  display_errors  off

PHP script:

ini_set('display_errors', false);

Error Handling

In the case of the array[] parameter injection, the use of PHP's is_array() function can be used to handle the injection, and log the attempt to a desired file or database:

(isset($var) && is_array($var)) ? logfunction() : /*continue*/;

In the case of the inoperable session injection, the use of regular expressions can be used to filter the invalid session values from being injected. Checking for characters other than a-z, A-Z, 0-9 and '-,' will allow the disclosure attempt to be logged to a desired file or database.

Conclusion

While full path disclosure is a handy reconnaissance technique that can be used in situations to complete a successful, it is very unlikely that the vulnerability in itself will lead to a successful hack.

There are very rare cases that the vulnerability can be used as a sole technique to successfully penetrate a web-site. For this to be the case, the security practices of a web-master must be very poor, for instance, the use of flat file databases, or poor include extensions such as .inc or .txt files.

The vulnerability is at most use as a reconnaissance technique used to gather information about a target.


References