AstroCMS contains a flaw that is triggered when input passed via the 'fname' parameter is not properly sanitized before being used in the /include/get_js.php4 script. By specifying an arbitrary file using an absolute path, the server will return the contents of the file, limited to the privileges of the web server running process.
Remote / Network Access
Loss of Confidentiality
OSVDB is not aware of a solution for this vulnerability.