CVE-2005-3739

Vulnerability

In PHP-Fusion versions 6.00.206 and earlier, the file subheader.php lacks the path disclosure protection present elsewhere in the application [1]. An unspecified vector allows remote attackers to trigger an error that reveals the full server filesystem path. The exact conditions required are not detailed, but the vulnerability is present in the default installation.

Exploitation

An attacker can exploit this by sending a crafted HTTP request to subheader.php without any prior authentication or special privileges [1]. The request may involve malformed parameters or direct access that causes PHP to output an error message containing the absolute path. No user interaction is required.

Impact

Successful exploitation results in disclosure of the full server path (e.g., /var/www/html/). While this is a low-severity information leak, it can assist an attacker in planning further attacks, such as exploiting local file inclusion or SQL injection vulnerabilities that require knowledge of the filesystem layout.

Mitigation

The vendor acknowledged the issue on November 19, 2005, and stated they would address it [2]. No specific patched version is mentioned in the available references. Users should upgrade to a later version of PHP-Fusion that includes a fix for this path disclosure. As a workaround, administrators can disable error display or configure custom error handlers to prevent path leakage. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.