A remote attacker can craft the "movies" parameter to run a directory traversal attack through a ".." sequence and read the first 1000 bytes of any arbitrary file.
Log in to post a comment.