The is a potentially dangerous line of code in many of those files:
require $pun_root.'lang/'.$language.'/'.$language.'_pms.php';
Without validation of where the variables originate from (ie. common.php or the GET interface) problems could arise. If any of these are true, then this is dangerous.
* Obviously, register globals must be on.
* PHP 4.1.0 or less - A null can be put on strings meaning any file can be included, not just php files.
* If the version of PHP is 4.3.0 or greater, and allow_url_fopen is on, remote files can be included
But, the problem is that even if that particular vulneribility isn't exploited successfully there is plenty more. Many of the scripts, if accessed directly, make no checks of where the variables originated from. This can lead to XSS, SQL Injection, session hijacking, etc, etc. Best solution would be to check if config.php is loaded:
if (!defined('PUN')) {
exit('This file is not meant to be loaded directly');
}
And obviously if the page is meant to be accessed directly devise a more indepth check to see where variables came from.
I don't know if this truly an issue for you guys or not. If you require register_globals to be off (I don't believe you do) then it is secure or if you expect people to devise protection themselves on individual files (which I don't believe you do).
:D:D:D:D:D