Comment 3 for bug 1093967

I've had a bash at confirming and it doesn't seem to work for me. I've tried the string you gave and ammending the number of ../ appropriately but I can't get the contents of /etc/passwd to show.

What it's doing is adding .class.php to the name supplied in the p= query so the target file isn't opened, however you're absolutely correct that this has potential to be exploited to execute code uploaded by a third party to a different folder on the server.

The p= argument needs to be sanitised to remove ../ characters or some similar fix.

I'll mark as confirmed and we'll get a patch out.

Many thanks for your help finding this.