Full Path Disclosure vulnerability

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API3 CAPEC-126 WASC-​13 WSTG-INFO-09

A Full Path Disclosure (FPD) vulnerability allows an attacker to examine the trail to the webroot/file present in the server. e.g.: /home/name/htdocs/file/. The FPD vulnerability is used by an attacker to performing certain attacks. Some functions ( used for attacking) like load_file() require the attacker to specify the whole path of the file. There are many servers vulnerable to Full Path Disclosure (FPD) vulnerability. This vulnerability enables the attacker to view the path to the webroot/file. An attacker can use FPD attack along with file inclusion attack to plant malicious files and to get access to sensitive files like application’s configuration file, server configuration file and many more. The attacker can exploit this vulnerability by using Null session and empty array.


Consider the following link is requesting a page.


The attacker can put ‘[]’ to the page to output an error as follows.

        Warning: opendir(Array): failed to open dir: No such file or directory in /home/beagle/htdocs/index.php on line 84
        Warning: pg_num_rows(): supplied argument ... in /usr/home/beagle/html/pie/index.php on line 131


The above warning reveals the path of the application.


Using this vulnerability, an attacker can:-

  • leak the source code of the application using file_get_contents() function.
  • leak the config.php file.
  • use this vulnerability to perform a SQL injection attack and many more attacks.

Mitigation / Precaution

Beagle recommends the following:-

  • Try not to reveal any errors on the webpage. An attacker can use the information in the error to perform FPD attack. Make sure error reporting is turned off so that the application won’t display error on the server.

Latest Articles