Hurr!C4Ne!

**Name of the Vulnerable Software and Affected Versions** Douran Portal version 3.9.7.8 **Description** The issue allows remote attackers to obtain the source code of arbitrary files under the web root. This can be achieved through the "download.aspx" page by manipulating the `FileNameAttach` parameter with techniques such as appending a trailing ".", a trailing space, or using mixed case. **Recommendations** For Douran Portal version 3.9.7.8, consider restricting access to the "download.aspx" page until a fix is available, and avoid using the `FileNameAttach` parameter with potentially vulnerable inputs.