The function down_sql_action() in /admin/model/database.class.php in PHPYun 4.6 allows remote attackers to read arbitrary files via directory traversal in an m=database&c=down_sql&name=../ URI.Referenceshttp://jlkl.github.io/2018/10/25/CVE_02/http://str3am.me/2018/10/25/CVE_02/
