Yamamah contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the 'themes/default/download.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'download' parameter. This directory traversal attack would allow the attacker to access arbitrary files.
Remote / Network Access
Loss of Confidentiality
Upgrade to version 1.00 (2010-06-14) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the 2010-06-14 release without a change in version number. An upgrade is required as there are no known workarounds.