A new directory traversal issue has been discovered in nBill, affecting ALL VERSIONS. ALL users of nBill must apply the appropriate patch. I will reply to this topic with the relevant patch files for each version.
Please Note: This vulnerability is currently being actively used by hackers to try to retrieve sensitive information from servers where nBill is running. In most cases, if your server security is tight (open base_dir restriction in effect, or suPHP in use), the effects should not be serious, however it is important that you patch your installation as soon as possible. If you are not already running the latest version (2.0.9 standard edition, 2.0.10 lite edition, or 1.2_10), you must upgrade first, then apply the appropriate patch below.