:Introduction: Normally one of the last steps when accessing to a web-server is to find the url where the web is installed (more common in RFD). This may be a hard step, if the RPD is the only bug in that server, but PHP programs have functions that unexpectedly can return lots of errors. **** ATTENTION **** This is a design Error made by the programmers of the affected php programms, PHP language by it is safe. ******************* Normally a Full Path Disclosure is not dangerous, but in this case the 90% of the programs written in PHP are vulnerable. This is a list of 21 tested programs, in their last release at 13/05/06, 19 are vulnerable: -paFileDB - Affected -PhpWiki - Affected (GET Data) -CuteNews - Affected (GET Data) -SMF - Affected (GET POST & COOKIE) -phpBB - Not Affected -phpNuke - Affected -myBB - Affected (POST Data) -phpMyAdmin - Affected -PHProxy - Affected (Cookie & Post Data) -phpSurveyor - Affected -vBulletin - Affected (POST Data) -PunBB - Affected (POST Data) -XMB - Affected (just some files) -IPB - Not Affected (some cases) -Quick Forum - Affected -FreeScene - Affected (POST Data) -EBB - Affected (just some files) -tinyBB - Affected (no filters xD) -SciELO - Affected (GET Data) -XOOPS - Affected (POST Data) -SquirrelMail- Affected The design-error AMAZINGLY USED is when you parse an Array into a function that spect a STRING. The mainly bug in PHP found was: PHPSESSID *or equivalent* equal to a null-array. when calling the function session_start(); will return an error like: Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /%path%/test.php on line 3 ** NOTE ** This error also appears when calling with no value (that also bypass filters). This will also bypass all cleaning functions as: -htmlentities -urlencode -etc.. returning "specting T_STRING" error. :Solution: The only way to detect is to add to your filter the condition is_array(). Also, you have to clean with this all parameters incoming from $_REQUEST(cookie,get and post) :Other Solution: Disabling all errors and warnings in php.ini :Dangereous?: No, but a Path Disclosure can reveal sensitive information. :Impact: The path may contain the username of the account, includes file and path, version of software, drive were web is installed, etc.. :Note: I repeat. THIS IS NOT DANGEROUS, its only an aditional help you are giving to hackers that already have access to your server. :Research made by: sirdarckcat elhacker.net
