[原文]Directory traversal vulnerability in editconfig_gedcom.php for phpGedView 2.65.1 and earlier allows remote attackers to read arbitrary files or execute arbitrary PHP programs on the server via .. (dot dot) sequences in the gedcom_config parameter.
PhpGedView contains a flaw that may allow a malicious user with administrative rights to include malicious PHP files. The issue is triggered when an attacker sends a specially-crafted URL request to the editconfig_gedcom.php script to specify a malicious file from a remote system. It is possible that the flaw may allow arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.
Upgrade to version 2.65.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.