Update to my previous post :)

Possibility to fetch files such as /etc/passwd
http://www.flconferences.com/download.php?file=/legionsec_1/archive/LegionSec'06___Vicente.pdf => Example

Click on the above link to see "Function.fopen"

When it lists out "fopen(/hsphere/local/home/flconf/flconferences.com/user_conference/legionsec_1/archive/LegionSec\'06___Vicente.pdf"

What amount of time will it take for an attacker, to manipulate this function and retrieve critical files as /etc/passwd or /etc/shadow

With this kind of information in hand, the extent of damage that can be done is "maximum"

Documentation for Function.fopen from PHP Website.

Full-Disclosure - We believe in it.

Cheers :)