Directory traversal vulnerability in passwiki.php in PassWiki 0.9.16 RC3 and earlier allows remote attackers to read arbitrary local files via a .. (dot dot) in the site_id parameter.