Directory traversal vulnerability in combine.php in OSClass before 2.3.6 allows remote attackers to read and write arbitrary files via a .. (dot dot) in the type parameter. NOTE: this vulnerability can be leveraged to upload arbitrary files.
https://exchange.xforce.ibmcloud.com/vulnerabilities/73755
https://exchange.xforce.ibmcloud.com/vulnerabilities/73754
http://www.openwall.com/lists/oss-security/2012/04/02/6