Two of these "full path disclosure" error messages suggest a much more serious problem: http://localhost/jaf-cms/index.php?page=forum&category=general&id=3/* Warning: fopen(module/files/3/*): failed to open stream: No such file or directory in /var/www/html/jaf-cms/module/forum/inc/csvfile.php on line 197 The attacker's input - the "id" parameter - is eventually being used in an fopen call. Is the input being filtered or cleansed anywhere? Is this really a directory traversal problem? Can the attacker open arbitrary files? I don't have the tool installed, so I can't verify, but here are some clues from the source code. In forum.php in 3.0 Final: /* note: no previous mention of $id anywhere until the next line */ if(isset($id)) { /* main data base access */ $base_comment_file = new csvfile; $base_comment_file->name="module/files/".$id; In csvfile.php, the cvsfile class is defined with the following method: function open( $mode ) // opens the data source { if ( ! $this->handle = fopen( $this->name, $mode ) ) { return false; } So maybe at least CSV formatted files can be read; maybe arbitrary files can be modified if any are opened in write mode? Again, I don't have the tool involved, so I can't prove it for sure. - Steve
