admin/admin_disallow.php in phpBB 2.0.18 allows remote malicious users to obtain the installation path via a direct request with a non-empty setmodules parameter, which causes an invalid append_sid function call that leaks the path in an error message.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
phpbb group phpbb 2.0.18 |