There are three problems I am going to talk about here. neither I believe to be critical. The
first causes an SQL error by tampering with the offset in the "sources/Memberlist.php" feature.
Below is an example of a "vulnerable" query.
index.php?&act;=Members&max;_results=10&filter;=ALL&sort;_order=asc&sort;_key=name&st;=[ Junk ]
The same issue is also present in the "sources/Online.php" file
index.php?&act;=Online&CODE;=listall&sort;_key=click&sort;_order=desc&show;_mem=all&st;=[ Junk ]
The other problem is that it is easy for an attacker to learn the full physical path of the
webserver. This can be accomplished via the "Change Personal Photo" option in the user control
panel. By entering an invalid character such as a null character "%20" in the upload box and
submitting the form you will be greeted by the following error message:
Warning: getimagesize() [function.getimagesize]:
Read error! in /full/path/sources/lib/usercp_functions.php on line 192