[原文]Directory traversal vulnerability in acc.php in QuickBlogger 1.4 allows remote attackers to read or include arbitrary local files via the request parameter. NOTE: this issue can also produce resultant XSS when the associated include statement fails.
QuickBlogger contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the acc.php script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'request' variable. Additionally, if arbitrary script is supplied to this variable, it may be returned to the user under some configurations allowing for cross-site scripting (XSS) attacks.
The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. It is recommended that an alternate software package be used in its place.