Directory traversal vulnerability in index.php in Blank'N'Berg 0.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the _path parameter.
https://exchange.xforce.ibmcloud.com/vulnerabilities/25617
http://www.silitix.com/bnb.php
http://www.securityfocus.com/bid/17345