onArcade 2.4.x Local File Get Contents Vulnerability
onArcade is a nice PHP CMS Software that handle videos and online games content,
there is no enough filtering for template file handler,
which leads to file_get_contents() vulnerability.
 Vulnerable Versions
 Bug Track
Because of the special treatment for .php extension, we wont be able to read the files with php extension
But , you may use Null-Byte to bypass this problem and "drop" the extension in file path when PHP <= 5.3.4.
 POC Video