[原文]Directory traversal vulnerability in GForge 3.3 and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the (1) dir parameter to controller.php or (2) dir_name parameter to controlleroo.php.
GForge contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker passes a directory outside of the server root to the dir variable in the controller.php module, which will disclose arbitrary directory information resulting in a loss of confidentiality.
Upgrade to version 4.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.