:Introduction:

Normally one of the last steps when accessing to a web-server is to find the url where the web is installed (more common in RFD).

This may be a hard step, if the RPD is the only bug in that server, but PHP programs have functions that unexpectedly can return lots of errors.

**** ATTENTION ****

This is a design Error made by the programmers of the affected php programms, PHP language by it is safe.

*******************

Normally a Full Path Disclosure is not dangerous, but in this case the 90% of the programs written in PHP are vulnerable.

This is a list of 21 tested programs, in their last release at 13/05/06, 19 are vulnerable:

-paFileDB - Affected

-PhpWiki - Affected (GET Data)

-CuteNews - Affected (GET Data)

-SMF - Affected (GET POST & COOKIE)

-phpBB - Not Affected

-phpNuke - Affected

-myBB - Affected (POST Data)

-phpMyAdmin - Affected

-PHProxy - Affected (Cookie & Post Data)

-phpSurveyor - Affected

-vBulletin - Affected (POST Data)

-PunBB - Affected (POST Data)

-XMB - Affected (just some files)

-IPB - Not Affected (some cases)

-Quick Forum - Affected

-FreeScene - Affected (POST Data)

-EBB - Affected (just some files)

-tinyBB - Affected (no filters xD)

-SciELO - Affected (GET Data)

-XOOPS - Affected (POST Data)

-SquirrelMail- Affected

The design-error AMAZINGLY USED is when you parse an Array into a function that spect a STRING.

The mainly bug in PHP found was:

PHPSESSID *or equivalent* equal to a null-array.

when calling the function session_start(); will return an error like:

Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /%path%/test.php on line 3

** NOTE **

This error also appears when calling with no value (that also bypass filters).

This will also bypass all cleaning functions as:

-htmlentities

-urlencode

-etc..

returning "specting T_STRING" error.

:Solution:

The only way to detect is to add to your filter the condition is_array().

Also, you have to clean with this all parameters incoming from $_REQUEST(cookie,get and post)

:Other Solution:

Disabling all errors and warnings in php.ini

:Dangereous?:

No, but a Path Disclosure can reveal sensitive information.

:Impact:

The path may contain the username of the account, includes file and path, version of software, drive were web is installed, etc..

:Note:

I repeat. THIS IS NOT DANGEROUS, its only an aditional help you are giving to hackers that already have access to your server.

:Research made by:

sirdarckcat

elhacker.net