3. If I give an invalid item ID I can get sine oretty significant information disclosure
Code:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'item_name' cannot be null' in /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php:220 Stack trace: #0 /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php(220): PDOStatement->execute(Array) #1 /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/account.php(390): user->create_item('26', '2013', '1', 'Amera') #2 {main} thrown in /customers/5/9/e/4pan-dev.com/httpd.www/projects/tibia-market/engine/function/users.php on line 220
4. Based on this, I can do some path traversal. It's not initially useful, but if I start at "http://4pan-dev.com/projects/tibia-market/engine/function/", I have a base API directory to start brute-forcing file names for interesting data. There's nothing preventing me from querying these files (I can 'render' "http://4pan-dev.com/projects/tibia-market/engine/function/users.php"). If I try to change directories, I will get a 403 forbidden when the directory exists but a 404 not found when it doesn't. Writing a script to find every file in your API, and trying to DDoS/crash/exploit the site by 'rendering' the internal files becomes easy from this point.