Steps to Reproduce

1. Navigate to https://imagerepo.oberoigroup.com and authenticate with valid user credentials.
2. Access https://imagerepo.oberoigroup.com/?p=user_sharedwithme&sharedlink=ae3089e011d2fa6820cb468f9583cc8ba931b646 and navigate to the Shared with Me section from the left navigation panel.
3. Select any image available within the section and click on the Download option located in the top right corner.
4. Intercept the download request using Burp Suite and modify the fordl[] parameter with following crafted Local File Inclusion payloads.

	%2Fimage_bank%2F..%2Flogin.php (Read internal login.php)
	%2Fimage_bank%2F..%2Fconfig%2Fconfig.php (Read config.php)
	%2Fimage_bank%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd (Read /etc/passwd)

5. Send the modified request and observe that arbitrary internal files can be downloaded from the server, including sensitive files containing database credentials, SMTP credentials, and other internal configuration data.

Note: The POC in Step 2 demonstrates accessing a shared URL solely to ensure that at least one image is available within the Shared with Me section for testing the vulnerable download functionality.
