I've had a bash at confirming and it doesn't seem to work for me. I've tried the string you gave and ammending the number of ../ appropriately but I can't get the contents of /etc/passwd to show.
What it's doing is adding .class.php to the name supplied in the p= query so the target file isn't opened, however you're absolutely correct that this has potential to be exploited to execute code uploaded by a third party to a different folder on the server.
The p= argument needs to be sanitised to remove ../ characters or some similar fix.
I've had a bash at confirming and it doesn't seem to work for me. I've tried the string you gave and ammending the number of ../ appropriately but I can't get the contents of /etc/passwd to show.
What it's doing is adding .class.php to the name supplied in the p= query so the target file isn't opened, however you're absolutely correct that this has potential to be exploited to execute code uploaded by a third party to a different folder on the server.
The p= argument needs to be sanitised to remove ../ characters or some similar fix.
I'll mark as confirmed and we'll get a patch out.
Many thanks for your help finding this.