UebiMiau is a simple and cross-plataform POP3/IMAP mail reader written in PHP. Uebimiau in default installation create one temporary folder to store 'sessions' and other files. This folder is defined in 'inc/config.php' as './database/'. If the web administrator don't change this folder, an attacker can exploit this using the follow request: http://server-target/database/_sessions/ Solutions: 1) Insert index.php in each directory of the Uebimiau 2) Set variable $temporary_directory to a directory not public and with restricted access, set permission as read only to 'web server user' for each files in $temporary_directory. 3) Set open_basedir in httpd.conf to yours clients follow the model below: <Directory /server-target/public_html> php_admin_value open_basedir /server-target/public_html </Directory>