Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3707 to
the following vulnerability:
JanRain PHP OpenID library (aka php-openid) 2.2.2 allows remote
attackers to obtain sensitive information via a direct request to a
.php file, which reveals the installation path in an error message, as
demonstrated by Auth/Yadis/Yadis.php and certain other files.
Created php-pear-Auth-OpenID tracking bugs for this issue
Affects: fedora-all [bug 741383]
NOTABUG: The Fedora packages install php-pear-Auth-OpenID to /usr/share/pear/Auth_OpenID/ outside the webroot and there is no mapping/etc. to expose that directory.
Also it appears this bug was originally reported by yehg.net to Google, Yehg sources:
indicate that some PHP apps ship a static copy of php-pear-Auth-OpenID within their files and expose them within the webroot.