Full Path Disclosure from Kaspersky

If you’d go now to the Kaspersky Cybermap website from a country other than an English speaking one, you would be prompted with a PHP notice and a PHP warning which cause a full path disclosure on Kaspersky’s website:

kaspersky-path-disclosure

Apparently the cybermap script is supposed to pull the verbiage related with languages other than English from individual files by the use of the file_get_contents() PHP function and because the filename for certain languages don’t exist or are improperly defined in the multilang.php file the warning kicks in and causes a full path disclosure.

To be honest I did not think that devops folks working with the Kaspersky websites would be this lame to turn on verbose PHP error reporting and make it public.

Leave a Reply

Your email address will not be published. Required fields are marked *