[原文]NukeJokes 1.7 and 2 Beta allows remote attackers to obtain the full path of the server via (1) a direct call to mainfunctions.php, (2) an invalid jokeid parameter in a JokeView function or (3) an invalid cat parameter in a CatView function, which reveals the path in a PHP error message.
NukeJokes contains a flaw that may lead to an unauthorized information disclosure. This flaw exists because the application does not validate the "jokeid" or "cat" variables upon submission to the NukeJokes module. This could allow a remote attacker to create specially crafted GET requests, which will disclose the installation path resulting in a loss of confidentiality.
Upgrade to version 2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.