index.php in the File Manager module in Flatnuke 3 allows remote attackers to obtain sensitive information via an invalid argumentname parameter in a disc op action, which reveals the path in an error message.
https://www.exploit-db.com/exploits/4561