https://www.exploit-db.com/exploits/24035
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-798

phProfession2.5版本存在漏洞。远程攻击者可以借助一个对upload.php的直接HTTP请求获取敏感信息，该漏洞导致一个PHP错误信息的路径泄露。

source: http://www.securityfocus.com/bid/10190/info
 
Multiple vulnerabilities were reported to exist in phProfession, which is a third-party module for PostNuke. Path disclosure, cross-site scripting and SQL injection vulnerabilities were reported.
 
Exploitation of these issues may reveal sensitive information, allow for account hijacking, content manipulation and attacks against the underlying database.
 
These issues were reported to exist in phProfession 2.5. Other versions may also be affected.

http://www.example.com/postnuke0726/modules/phprofession/upload.php

来源:XF
名称:phprofession-upload-path-disclosure(15930)
链接:http://xforce.iss.net/xforce/xfdb/15930
来源:www.waraxe.us
链接:http://www.waraxe.us/index.php?modname=sa&id;=21
来源:BID
名称:10190
链接:http://www.securityfocus.com/bid/10190
来源:OSVDB
名称:5623
链接:http://www.osvdb.org/5623
来源:SECUNIA
名称:11465
链接:http://secunia.com/advisories/11465
来源:BUGTRAQ
名称:20040421[waraxe-2004-SA#021-Multiplevulnerabilitiesinphprofession2.5moduleforPostNuke]
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108258931430060&w;=2