BearShare contains a flaw that allows a remote user to traverse outside of a restricted path. The issue is due to the application not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) using hexadecimal URL encoded forward-slash characters supplied via the URI parameter. This directory traversal attack would allow the attacker to view files outside of the web root directory.
Currently, there are no known upgrades, patches or workarounds available to correct this vulnerability. The vendor provided version 4.0.6 to address the vulnerability in version 4.0.5, however the fix was not complete, and version 4.0.6 is still vulnerable.