[原文]search.php in Geeklog 1.4.x before 1.4.0rc1, and 1.3.x before 1.3.11sr3, allows remote attackers to obtain sensitive information via invalid (1) datestart and (2) dateend parameters, which leaks the web server path in an error message.
Geeklog contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker injects invalid SQL in the date field to search.php, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
Upgrade to version 1.3.11sr3 or 1.4.0rc1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.