DirectContact Server Traversal Arbitrary File Access
Remote / Network Access
Loss of Confidentiality
DirectContact contains a flaw that allows a remote attacker to read the contents of arbitrary files outside of the web path. The issue is due to DirectContact not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied to the server.
Upgrade to version 0.3c or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.