getalbum.php in PhotoAlbum prior to 0.9.9 allows remote malicious users to read arbitrary files via a .. (dot dot) attack.
nathan purciful phpphotoalbum 0.9.9