Path disclosure enables the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.

The risks regarding path disclosure may produce various outcomes.

1. Attackers may use the path in combination with file inclusion vulnerabilites (see PHP File Inclusion) to steal files of the web application.

2. It can also be used to reveal the underlying operating system by observing the file paths. Windows for instance always start with a drive-letter, e.g; C:, while Unix based operating system tend to start with a single front slash.

   *NIX:

    Warning: session_start() [function.session-start]: The session id contains illegal characters, 
    valid characters are a-z, A-Z, 0-9 and '-,' in /home/alice/public_html/includes/functions.php on line 2
   

   Windows:

    Warning: session_start() [function.session-start]: The session id contains illegal characters, 
    valid characters are a-z, A-Z, 0-9 and '-,' in C:\Users\bob\public_html\includes\functions.php on line 2
   

   The two examples above reveal usernames on the operating systems as well; alice and bob. Usernames are of course important pieces of credentials. Attackers can use those in many different ways, ranging all from bruteforcing over various protocols (SSH, Telnet, RDP, FTP...) to launch exploits which require working usernames.

Information Exposure