send_message.php in AeroMail before 1.45 allows remote attackers to read arbitrary files on the server, instead of just uploaded files, via an attachment that modifies the filename to be uploaded.