ArrowChat contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to the external.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'lang' parameter. This directory traversal attack would allow a local attacker to include arbitrary files.
// Load another language if lang GET value is set and exists
$lang = get_var('lang');