Absolute path traversal vulnerability in steps/mail/sendmail.inc in
Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote
attackers to read arbitrary files via a full pathname in the _value
parameter for the generic_message_footer setting in a save-perf action to
index.php, as exploited in the wild in March 2013.