Get a quote

Vulnerability Fixation
Internal Path Disclosure

Book a Free Consultation



Vulnerability:

Possible Internal Path Disclosure in the webpage. This can help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.

Full Path Disclosure (FPD) reveals the full filesystem path in error messages or responses, which attackers can use to facilitate other attacks such as Local File Inclusion or directory traversal. Example error:

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wamp\www\en\events_detail.php on line 47

Impact

  • Attackers can discover webroot and filesystem layout.
  • Combining FPD with file inclusion flaws may expose configuration files or other sensitive data.
  • Increased ease of crafting targeted exploits against the server or application.

Solution

  • Disable PHP error display in production (update php.ini):
    display_errors = 0
    display_errors = Off
  • For shared hosting or user-level PHP configs, add/ensure a php.ini or user INI in the document root with display_errors disabled.
  • Disable warnings/errors in .htaccess when PHP runs as an Apache module:
    php_flag display_errors off
  • Disable warnings/errors programmatically where appropriate (note: not a replacement for server config):
    ini_set('display_errors','Off');
  • After changes, verify via phpinfo() (then remove the phpinfo file).
  • Ensure these settings show as:
    display_errors — Off
    display_startup_error — Off
  • Configure and serve a generic 500 error page (custom error pages) for the application to avoid exposing stack traces or paths.

Examples / Exploitation

  • Directory traversal attempts:
    example.com/load.php?file=image.jpg
    example.com/load.php?file=../../secret/key.txt
  • Direct access patterns:
    example.com/admin/secret/key.txt
  • FPD can reveal the underlying OS (Windows paths start with a drive letter like C:\, Unix paths start with /).

Also Read :

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More