[原文]Multiple directory traversal vulnerabilities in singapore Image Gallery Web Application 0.9.10 allow remote attackers to (1) read arbitrary files via the showThumb method for thumb.php, or (2) delete arbitrary files via admin.class.php.
singapore Image Gallery contains a flaw that allows a remote attacker to download arbitrary files. The issue is due to the showThumb() function of the 'thumb.php' script not properly sanitizing user input, specifically traversal style attacks (\..\ or /.../) which could allow a remote attacker to download arbitrary files resulting in a loss of confidentiality.
Upgrade to version 0.9.11 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.