Directory traversal vulnerability in joovili.images.php in Joovili 3.0.0 through 3.0.6 allows remote attackers to read arbitrary files via a .. (dot dot) in the picture parameter.
https://www.exploit-db.com/exploits/4799
http://www.securityfocus.com/bid/27056