Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.
How to fix this vulnerability Review the source code for this script.
How to replicate: Cookie input CONCRETE5 was set to Error message found: <b>Warning</b>: session_start() [<a href='function.session-start'>function.session-start</a>]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in <b>/home/enterpri/public_html/updates/concrete18.104.22.168_updater/concrete/startup/session.php</b> on line <b>36</b><br />
as we can see clearly the full path
Affected params : / /index.php /tools/required/captcha