[原文]phpGroupWare 0.9.14.005 and earlier allow remote attackers to obtain sensitive information via a direct request to (1) hook_admin.inc.php, (2) hook_home.inc.php, (3) class.holidaycalc.inc.php, and (4) setup.inc.php.sample, which reveals the path in an error message.
phpGroupWare contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker requests the "setup.inc.php.sample" script without arguments, which will disclose the software installation path resulting in a loss of confidentiality.
Upgrade to version 0.9.14.006 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.