File Paths
From GeeklogWiki
Beware of Relative Paths
Plugins designed to work with files stored on the system are likely to suffer from security issues if they do not take great care to deal with the paths in question.
For example, suppose your plugin prompts a user to pick a file from a list, then passes that filename through to display (log file browser?):
<?php $filename = $_POST['filename']; readfile( $_CONF['path_system'] . '/plugins/myexploitablefileplugin/files/' . $filename ); ?>
This is very vulnerable. A malicious user could inject ../../../../../etc/passwd for example, or any other file you wouldn't want to make public. Suppose you use this method to include a theme.php file with an include call? Then a user could inject anything they've managed to drop into your error.log file!