in user profile upload an avatar with a double extension like :
once it's done,you gone get an error like:Fatal error: Call to undefined function imagedestroy() in /.
but the last extension (jpg) will be removed by the script, and stored in :
xss get :
xss via mysql error:
full path disclosure:
multiples errors sql :
just add a ' on any var ..
or on any fields ( like in forum,search,...etc )
regards laurent gaffi=E9