By changing internal compose.php variables it's possible to access files of settings of different users.
vulners.com/securityvulns/securityvulns:doc:13871