Directory traversal vulnerability in down.php in MyBackup 1.4.0 allows remote malicious users to read arbitrary files via a .. (dot dot) in the filename parameter.
tufat mybackup 1.4.0