[原文]The calendar module in phpWebSite 0.9.x and earlier allows remote attackers to obtain the full pathname of phpWebSite via an invalid year, which generates an error from localtime() in TimeZone.php of the Pear library.
phpWebSite contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when improper input is passed to the "year" variable, which will disclose the web server physical path resulting in a loss of confidentiality.
Upgrade to version 0.8.3 or higher, as it has been reported to fix this
vulnerability. An upgrade is required as there are no known workarounds.