Absolute path traversal vulnerability in download.php in Jeebles Directory 2.9.60 allows remote attackers to read arbitrary files via a full pathname in the query string. NOTE: some of these details are obtained from third party information.
https://exchange.xforce.ibmcloud.com/vulnerabilities/37378
http://www.securityfocus.com/bid/26171
http://www.securityfocus.com/archive/1/482612/100/0/threaded