validate.php in WebCalendar allows remote malicious users to gain sensitive information via an invalid encoded_login parameter, which reveals the full path in an error message.