Multiple vulnerabilities were reported to exist in phProfession, which is a third-party module for PostNuke. Path disclosure, cross-site scripting and SQL injection vulnerabilities were reported.
Exploitation of these issues may reveal sensitive information, allow for account hijacking, content manipulation and attacks against the underlying database.
These issues were reported to exist in phProfession 2.5. Other versions may also be affected.
phProfession upload.php Direct Request Path Disclosure
Remote / Network Access
Loss of Confidentiality
Phprofession contains a flaw that may allow a malicious user to reveal the installation path of the software. The issue is triggered when accessing "upload.php" directly. It is possible that the flaw may allow expose information about the HTTP server's file system resulting in a loss of confidentiality.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.