Directory traversal vulnerability in index.php in ApPHP PHP MicroCMS 1.0.1, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter.
https://exchange.xforce.ibmcloud.com/vulnerabilities/61813
http://secunia.com/advisories/41491