Ilia Alshanetsky mentions over on his blog about a "vulnerability" that he's come across in serveral applications - an inevitable "path disclosure vulnerability".

In the past few days I've been testing a number of my own applications and scripts as well as various bits and pieces of applications written by others that I use, using an automated scanning tool I have written. One particular issue I came across, common to all applications is the inevitable "path disclosure vulnerability". The premise behind this so called vulnerability is that remote attackers by specifying certain value can make the script report it's own location on disk. Theoretically this combined with another vulnerability could be used to do *something* or rather then potentially could be bad. As you can probably tell, I don't see this as a something to be terribly concerned about in most cases.

He gives the example of passsing an array into something like htmlspecialchars to throw a PHP error, thus giving you the full path to the file. He suggests two methods for cleanly handling the issue - either have PHP catch and log the errors to an external file or go through your code and ensure that all variables are cast to the correct type before using them...

I'm not 100% sure that this is really that big of an issue, though - if they have the path, but you don't allow them any other interaction with the site (like, say, via an upload), how much else can they do with that information?