[原文]view.php in KnowledgeTree Open Source 3.0.3 and earlier allows remote attackers to obtain the full installation path via a crafted fDocumentId parameter, which displays the path in the resulting error message. NOTE: this might be resultant from another vulnerability, since this vector also produces XSS.
KnowledgeTree Open Source view.php fDocumentId Variable Path Disclosure
Remote / Network Access
Loss of Confidentiality
KnowledgeTree Open Source contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides a crafted 'fDocumentId' variable to the view.php script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.