Full path disclosure (FPD) vulnerability

Jijith Rajan
Published on
28 Dec 2023
7 min read

A full path disclosure (FPD) vulnerability allows an attacker to examine the trail to the webroot/file present in the server. e.g.: /home/name/htdocs/file/.

Some functions (used for attacking) like load_file() require the attacker to specify the whole path of the file.

An attacker can use FPD attack along with the file inclusion attack to plant malicious files and to get access to sensitive files like application’s configuration file, server configuration file and many more.

The attacker can exploit this vulnerability by using null session and empty array.


Consider the following link requesting a page.


The attacker can put ‘[]’ to the page to output an error as follows.

Warning: opendir(Array): failed to open dir: No such file or directory in /home/beagle/htdocs/index.php on line 84 

Warning: pg_num_rows(): supplied argument ... in /usr/home/beagle/html/pie/index.php on line 131

The above warning reveals the path of the application.

How can the full path disclosure vulnerability be exploited?

Full path disclosure (FPD) vulnerability occurs when an attacker is able to gain access to the internal file system paths of a web application.

This can happen due to improper handling of user inputs, insufficient input validation, or errors in the application’s code.

Exploiting an FPD vulnerability can provide attackers with valuable information about the server’s directory structure and potentially reveal sensitive files.

Here’s how an FPD vulnerability might be exploited:

1. Identifying the vulnerable input

Attackers identify a vulnerable input point within the web application. This could be in the URL, query parameters, or form fields.

2. Crafting malicious requests

The attacker crafts malicious requests by manipulating the input to point to different directories or files.

They might try various techniques such as appending special characters like “..” to traverse directories or using absolute paths.

3. Observing server responses

When the attacker sends malicious requests, they analyze the responses from the server.

If the application is vulnerable to FPD, the response may contain error messages, stack traces, or file paths that reveal the internal structure of the server.

4. Extracting sensitive information

Attackers analyze the information obtained from the server responses.

They may be able to deduce the file structure, directory paths, and sometimes even the existence of sensitive files such as configuration files, logs, or source code.

5. Exploiting revealed information

With knowledge of the file paths, attackers can potentially use this information to plan further attacks, such as trying to exploit other vulnerabilities in the application, compromising sensitive data, or launching a more targeted attack against the server.

What are the impacts of full path disclosure (FPD) vulnerability?

Full path disclosure (FPD) vulnerabilities can have several significant impacts on a web application and its underlying infrastructure.

When attackers successfully exploit an FPD vulnerability, they can gain insight into the internal file system structure and potentially access sensitive information.

Here are some of the potential impacts of FPD vulnerabilities:

1. Directory structure exposure

Attackers can gain detailed knowledge of the directory structure of the server, including the organization of files and folders.

This information aids them in planning further attacks and identifying potential targets.

2. Sensitive file disclosure

FPD vulnerabilities can lead to the disclosure of sensitive files, such as configuration files, log files, source code, and backup files.

Attackers can leverage this information to gather sensitive data or exploit vulnerabilities.

3. Credential exposure

If configuration files containing database connection credentials or API keys are exposed, attackers can obtain credentials that may provide unauthorized access to other systems or databases.

4. Leak source code

The exposure of application source code can provide attackers with insights into the application’s logic, algorithms, and potential security weaknesses.

This knowledge can be used to devise targeted attacks.

5. Privacy violation

FPD vulnerabilities may lead to the disclosure of user data, logs, or other information that violates user privacy and regulatory requirements.

6. Attack surface expansion

Attackers can leverage the disclosed information to identify other vulnerabilities in the application or server, potentially leading to more sophisticated attacks.

7. Security misconfiguration

The discovery of sensitive files and directories may indicate security misconfigurations or improper access controls within the application or server.

8. Sensitive data exposure

FPD vulnerabilities can expose sensitive data stored within files, such as personally identifiable information (PII), financial data, or confidential business information.

9. Exploitation of other vulnerabilities

Attackers can exploit the information obtained from FPD to launch more targeted and sophisticated attacks, potentially exploiting other vulnerabilities in the application.

10. Data manipulation and tampering

Attackers may manipulate exposed files or configuration settings, leading to data manipulation or unauthorized modifications of the application’s behavior.

How do you mitigate full path disclosure vulnerability?

Preventing Full Path Disclosure (FPD) vulnerabilities requires a combination of secure coding practices, proper server configuration, and ongoing monitoring.

Here are several steps you can take to prevent FPD vulnerabilities in your web applications:

1. Input validation and sanitization

Implement strict input validation and sanitization to ensure that user-controlled input is properly validated and sanitized before being used to construct file paths.

2. Avoid direct use of user input

Avoid directly using user-supplied input to construct file paths or include files. Instead, validate input and use it in a controlled and safe manner.

3. Use whitelists

Create whitelists of acceptable values or patterns for input that is used to construct file paths. Only allow known and safe values to be used.

4. Use parameterized queries

If interacting with databases, use parameterized queries or prepared statements to prevent SQL injection attacks that could lead to FPD vulnerabilities.

5. Disable detailed error messages

In production environments, disable or restrict the display of detailed error messages that might reveal sensitive information about file paths or server internals.

6. Implement proper access controls

Use appropriate access controls and permissions to limit what files and directories are accessible by the application and its users.

7. Secure file inclusion

If file inclusion is necessary, use a secure mechanism that only allows inclusion of specific files from known locations. Avoid using user-controlled input for file inclusion.

8. Patch and update software

Keep server software, web frameworks, and libraries up to date with the latest security patches to address known vulnerabilities.

9. Use security headers

Implement security headers like X-Content-Type-Options and X-Frame-Options to prevent certain types of attacks and information leakage.

10. User and developer training

Educate developers about secure coding practices and the risks associated with FPD vulnerabilities. Train users to be cautious about clicking on unfamiliar links.

By following these preventive measures and adopting a security-conscious mindset throughout the development lifecycle, you can significantly reduce the risk of File Path Disclosure vulnerabilities in your web applications.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.