[This was originally published on OSVDB, now gone. VulnDB IDs 24302, 24303]
Comment left on feedback page:
While testing your demo of Annuaire (Directory), I noticed a few security vulnerabilities:
Many pages are calling /include/lang-en.php which is showing the full installation path. Additionally, directly requesting this script will reveal the full path.
inscription.php The comment field (COMMENTAIRE variable) allows for cross-site scripting (XSS) attacks.