The topic of this article is what a physical path information disclosure is, how it can pose a threat, and how to turn it off.

What is the Physical Path Information Disclosure?

The structures that indicate which paths the files are in, in the texts in the files loaded on the system or in the error pages, are called physical path disclosure.

In these cases, threat actors can have various information about their targets and can find important clues to understand the internal structure of the organization.

So How is the Physical Path Information?

In the image below, info.php is left on servers for various purposes. The info.php file contains details about the PHP version. But towards the bottom of the page, there is also the path information of the info.php file.

The image below shows the full path of the directory found due to the failure to configure the error message in Microsoft IIS.

Mitigation and Remediation

  • The page that caused the disclosure of the information should not be shared publicly.
  • Error pages should not be left as default, they should be configured.

References

https://www.ibm.com/docs/en/datacap/9.1.8?topic=ttd-appscan-issues-physical-path-disclosure-hidden-directory-detection

Categories Mitigations