[原文]TinyPHPForum 3.6 and earlier stores the (1) users/[USERNAME].hash and (2) users/[USERNAME].email files under the web root with insufficient access control, which allows remote attackers to list all registered users and possibly obtain other sensitive information.
TinyPHPForum /users/ Directory User Information Disclosure
Remote / Network Access
Loss of Confidentiality
TinyPHPForum contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a URL requesting confidential user information from the /users/ directory occurs, which will disclose their password hash and other information, resulting in a loss of confidentiality.
The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. It is recommended that an alternate software package be used in its place.