Directory traversal vulnerability in fc.php in OpenX 2.6.3 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the MAX_type parameter.
https://www.exploit-db.com/exploits/7883
http://www.securityfocus.com/archive/1/500411/100/0/threaded