Input validation

PHPChain 1.0 and earlier allows remote attackers to obtain the installation path via invalid values of the catid parameter to 1 settings.php or 2 cat.php, as demonstrated by XSS manipulations...