source: https://www.securityfocus.com/bid/9537/info
Due to a lack of access validation to the '_admin' directory, malevolent users may be able to execute arbitrary admin scripts. This may allow a malicious user to upload arbitrary files to the affected system and gain access to files outside of the web server root directory. There may also be other consequences associated with this vulnerability.
http://www.example.org/_admin/
http://www.example.org/_admin/list_all.php?folder=../
http://www.example.org/_admin/upload.php