E-Business Designer (eBD) 3.1.4 and earlier allows remote attackers to obtain the full path of the web server via “'” characters, and possibly other invalid values, in (1) the id parameter to form_grupo.html, or requests to the (2) archivos/ and (3) files/ directories. NOTE: this issue might be resultant from SQL injection.
lists.grok.org.uk/pipermail/full-disclosure/2006-May/045980.html
secunia.com/advisories/20071
securityreason.com/securityalert/891
www.securityfocus.com/archive/1/433807/100/0/threaded
www.securityfocus.com/bid/17933
www.vupen.com/english/advisories/2006/1784
exchange.xforce.ibmcloud.com/vulnerabilities/26476