This isn't a directory traversal, the code is simply output on to the page as <frame src="..."> (sanitised of course), so they can only access what is available in the physical domain.

Scott MacVicar
Development Team, vBulletin

[ reply ]