[原文]PHPX 3.2.6 and earlier allows remote attackers to obtain the physical path of PHPX via a null or invalid value in the limit parameter, which leaks the pathname in a database error message, as demonstrated using forums.php.
PHPX contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker requests the "forums.php" script with invalid arguments, which will disclose the physical path of the web server resulting in a loss of confidentiality.
Upgrade to version 3.3.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.