CATEGORY Full Path Disclosure Vulnerability

Full Path Disclosure (FPD) is the revelation of the full operating path of a vulnerable script. The FPD bug is executed by injecting unexpected characters into certain parameters of a web-page. The script doesn’t expect the injected character and returns an error message that includes information of the error, as well as the operating path of the targeted script.

FPD vulnerabilities are generally observed as low risk threats, too often overlooked by web-masters as nothing to worry about, or features of the scripting language. While the latter is true, only the web-master should see the output of the error messages, and log them as appropriate; an attacker should never see the output of an error message within a web-page.