csFAQ.cgi in csFAQ allows remote attackers to gain sensitive information via an invalid database parameter, which reveals the path to the web server in an error message.