The following web applications are found to have full path disclosure flaws (Ref: WASC-13, CWE-200). ----------------------------------------- htmlpurifier-4.2.0 phpids-0.6.5 PhpSecInfo 111WebCalendar-1.2.3 adodb aef-1.0.8 ATutor-2.0 auth b2evolution-3.3.3 bbpress-1.0.2 cftp-r80 claroline-1.9.7 clipbucket_2.0.9_stable_Fr cmsmadesimple-1.9.2 CodeIgniter_1.7.2 concrete5.4.0.5 concrete5.4.1.1 CopperminePhotoGallery-1.5.12 craftysyntax3.0.2 CubeCart-4.4.3 dokuwiki-2009-12-25c Dolphin-7.0.4 dotproject-2.1.4 drupal-7.0 e107_0.7.24 eggblog_4.1.2 elgg-1.7.6 ExoPHPDesk_1.2.1 eyeOS-2.2.0.0 fengoffice_1.7.2 freeway_1_5_alpha_Burstow frontaccounting-2.3.1 helpcenterlive-2.1.7 hesk-2.2 jcow.4.2.1 joomla-1.6.0 kamads-2_b3 kplaylist.1.8.502 lifetype-1.2.10 limesurvey190plus-build9642-20101214 linpha-1.3.4 mambo-4.6.5 mantisbt-1.2.4 moodle-2.0.1 mound-2.1.6 mybb-1.6 nucleus3.61 NuSOAP open-realty-2.5.8 OpenBlog-1.2.1 opencart_v1.4.9.3 opendocman-1.2.6-svn-2011-01-21 orangehrm-2.6.0.2 oscommerce-3.0a5 phorum-5.2.15a PHP-Easy-Survey-Package-2.1.1 PHP-Nuke-8.0 PHP-Point-Of-Sale-10.7 phpads-2.0 phpAlbum_v0.4.1.14.fix06 phpBook-2.1.0 phpcollab-2.5 PHPDevShell-V3.0.0-Beta-4b PHPfileNavigator-2.3.3 phpFormGen-2.09 phpfreechat-1.3 PhpGedView-all-4.2.3 phpicalendar-2.4 phpld-2-151.2.0 phpmyfaq-2.6.13 phprojekt-6.0.5 phpScheduleIt_1.2.12 phpwcms-1.4.7r412 piwigo-2.1.5 piwik-1.1 pixelpost_v1.7.3 pixie_v1.04 PliggCMS1.1.3 podcastgen1.3 prestashop_1.4.0.6 projectpier-0.8.0.3 serendipity-1.5.5 Smarty statusnet-0.9.6 SugarCRM-6.1.0 taskfreak-multi-mysql-0.6 tcexam_11.1.015 textpattern-4.2.0 thebuggenie_2.1.2 theHostingTool-v1.2.3 TinyMCE TinyWebGallery-1.8.3 tomatocart-1.1.3 vanilla-2.0.16 WebCalendar-1.2.3 WeBid-1.0.0 webinsta-mail-list-1.3e WebsiteBaker_2.8.1 wordpress-3.0.4 xajax xoops-2.5.0 YOURS Zend zikula-1.2.4 ------------------------------------------------ Vulnerable files list for each application can be found at http://yehg.net/lab/pr0js/advisories/path_disclosure/ http://yehg.net/lab/pr0js/advisories/path_disclosure.zip Solution: Disable php error_display off. For those who manage servers, set php error_display setting as 'on' in php.ini file. For those who don't, simple put "php_flag error_display off" in .htaccess file of web root directory (unless it is restricted by php_admin_flag) --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/