Full Path disclosure --------------------- This hole is caused by direct access to file includes/legacy.php not protected PoC : http://site.co.id/maxdev/includes/legacy.php Fix : Turn off display error in php.ini can fix this security issue Blind sql inject ----------------- This hole is caused by filtered script not implemented to $topicid variable in file modules/Topics/pnuserapi.php PoC : http://site.co.id/maxdev/index.php?module=Topics&func=display&topicid=0 AND 1=0 http://site.co.id/maxdev/index.php?module=Topics&func=display&topicid=0 AND 1=1 Fix : Maxdev cms have a filtered script to protect all request but i'm so lazy to analyze the code, then i just add this code in modules/Topics/pnuserapi.php if(isset($_GET['topicid'])) { $topicid=$_GET['topicid']; validate($topicid); } function validate($char) { if(!is_numeric($char)) { die("i have received an error request"); } }