Full Path Disclosure from Kaspersky
If you’d go now to the Kaspersky Cybermap website from a country other than an English speaking one, you would be prompted with a PHP notice and a PHP warning which cause a full path disclosure on Kaspersky’s website:
Apparently the cybermap script is supposed to pull the verbiage related with languages other than English from individual files by the use of the file_get_contents() PHP function and because the filename for certain languages don’t exist or are improperly defined in the multilang.php file the warning kicks in and causes a full path disclosure.
To be honest I did not think that devops folks working with the Kaspersky websites would be this lame to turn on verbose PHP error reporting and make it public.
Written by Malin
Self taught IT enthusiast with over 16 years of online background experience. On top of that I'm a blogger, webmaster, husband and father.