Path disclosure
We've talked a lot about always adding the defined('_JEXEC') or die statement at the top of all your PHP files, which prevents direct execution of the PHP files and only allows them to run via Joomla!. If you leave this out, it can lead to path disclosure
vulnerabilities, which are basically error messages on your site that tell the hacker details about your website such as the full path of the files on the web server. This may give the hacker information such as the username of your account with your hosting company, which is often used when logging into CPanel or connecting to the site via FTP.
We can easily simulate this by editing clicktocall.php under /plugins/content/clicktocall and removing the defined('_JEXEC') or die statement at the top of the file. Then browse to the following URL (where joomla3 is your site name on your local development environment):
http://localhost/joomla3/plugins/content/clicktocall/clicktocall.php
Note
You may need to set display_errors =...
