Directory traversal vulnerability in highlight.php in bcoos 1.0.9 through 1.0.13 allows remote attackers to read arbitrary files via (1) .. (dot dot) or (2) C: folder sequences in the file parameter.

More... (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2350)