[原文]phpGedView before 2.65 allows remote attackers to obtain the absolute path of the web server via malformed parameters to (1) indilist.php, (2) famlist.php, (3) placelist.php, (4) imageview.php, (5) timeline.php, (6) clippings.php, (7) login.php, and (8) gdbi.php.
PhpGedView contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker sends a specially crafted URL to the "indilist.php" script, which will disclose the server installation path resulting in a loss of confidentiality.
Upgrade to version 3.00.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.