# Internal Path Disclosure ## Introduction Path Disclosure vulnerability enables an attacker to see the full path of record and ithelps the attacker to identify other vulnerabilities or help during the exploitation of other identified vulnerabilities. ## How it works This is how it disclosed. ``` Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wamp\www\en\events_detail.php on line 47 ``` This vulnerability if exploited could lead to Directory transversal which could lead for an attacker to gain read only access to root or other directories and ultimately to the web server. ## How to Fix ### Wordpress path disclosure vulnerability: * for Dedicated/VPS designs it's more probable in /etc/php.ini * for shared hosting it ought to be in the root folder (public\_html). It is only an extra ini documents which over-burdens the fundamental php.ini settings.In the event that there isn't there you may need to make it. ``` display_errors = 0 display_errors = Off ``` ### Disabling Warning and Errors in .htaccess file This method is applied to the .htaccess file in the root folder of the wordpress installation. Then you only have to add the following line if php is installed as an apache module:php\_flag display\_errors off ### Disabling Warning and Errors in php file If we add it in the wp-config.php file it will work in many scenarios, but now if someone is invoking . In this case wp-config is not called, our configuration is not picked up, so as a result, a warning will be fired, exposing the internal structure. This option would work if it would be added in all the php files, which obviously is not a solution. ``` ini_set('display_errors','Off'); ``` When the configuration is done, you can use the phpinfo() method to check if it’s done. After finishing it, remember to delete the phpinfo file. | display\_errors | Off | Off | | ----------------------- | --- | --- | | display\_startup\_error | Off | Off | Configure 500 error to all custom pages of web application. ## References 1. 2. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sumeru.gitbook.io/sumeru-cyber-security/common-vulnerabilites/internal-path-disclosure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.