Response to Drupal 7.14 <= Full Path Disclosure Vulnerability

greggles's picture

There has recently been a publication of a path disclosure issue in Drupal with the title "Drupal 7.14 <= Full Path Disclosure Vulnerability"

As a response to this and the entire class of issues (that our error messages are optimized for usability over security) I've posted this faq entry: Information disclosure in error messages not a weakness (Path disclosure, SQL error messages, etc.)

Please help improve that page to provide any additional, useful guidance.

Edit: For search engines: This has now been assigned CVE-2012-2922.


Full Path Disclosure a risk?

no2e's picture

I have "Error messages to display" set to "None", but when I visit[]=x (as anonymous), I still get an error message with the full path disclosed.

The FAQ describes that it is not a problem, because you can disable the display of error messages. But when this doesn't work (like in my case), does that mean that it could be a risk?

It does appear that this

greggles's picture

It does appear that this specific issue gets around that setting, so I added information about PHP which should fix it.

As to whether or not this is a problem you have to ask yourself: is it a problem that someone knows the path to my document root. This is only a problem if you have a second vulnerability that makes this important such as (but not limited to) an arbitrary php execution or arbitrary file upload issue, but in those cases you should focus on fixing those vulnerabilities.

This has now been fixed in

greggles's picture

This has now been fixed in Drupal 7.15 and an issue for 6.x is ready for testers at

Thanks for the CVE

rickmanelius's picture

My first search turned up nothing, so I think that's a great improvement so we don't needlessly pester the security team :)