A Full Path Disclosure (FPD) vulnerability allows an attacker to examine the trail to the webroot/file present in the server. e.g.: /home/name/htdocs/file/. The FPD vulnerability is used by an attacker to performing certain attacks. Some functions ( used for attacking) like load_file() require the attacker to specify the whole path of the file. There are many servers vulnerable to Full Path Disclosure (FPD) vulnerability. This vulnerability enables the attacker to view the path to the webroot/file. An attacker can use FPD attack along with file inclusion attack to plant malicious files and to get access to sensitive files like application’s configuration file, server configuration file and many more. The attacker can exploit this vulnerability by using Null session and empty array.
Consider the following link is requesting a page.
The attacker can put ‘’ to the page to output an error as follows.
The above warning reveals the path of the application.
Using this vulnerability, an attacker can:-
Beagle recommends the following:-