When passing specific parameters to a page which displays receipts, Giga shows an error message and prints out an array showing a list of fields, maybe detailing a database structure or some other sort of internal structure.
- Open http://www2.giga.ub.edu/acad/rebuts/erebut.php?NIUB=%20&NUCO=1 (it doesn't matter whether you have logged in).
Severity of the vulnerability
This is not a severe vulnerability, and I don't even think this could be considered as a security vulnerability alone, because it cannot be used to directly exploit the system in any way. Despite this, I think this would allow an attacker to have a better understanding of how the system works internally and it would make it easier for them to find other vulnerabilities.
What should be done?
The array printed should be removed from the page.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.