CVE-2005-4358

Name of the Vulnerable Software and Affected Versions phpBB version 2.0.18

Description The issue allows remote attackers to obtain the installation path of phpBB. This is achieved by making a direct request to the 'admin/admin disallow.php' endpoint with a non-empty setmodules parameter. The request causes an invalid append sid function call, resulting in the installation path being leaked in an error message.

Recommendations For phpBB version 2.0.18, consider restricting access to the 'admin/admin disallow.php' endpoint until a fix is available. As a temporary workaround, avoid using the setmodules parameter in requests to this endpoint to minimize the risk of path disclosure.