CVE 2006-1260
Horde Application Framework 3.0.9 allows remote attackers to read arbitrary files via a null character in the url parameter in services/go.php, which bypasses a sanity check.
See the 
CVE page on Mitre.org
for more details.
