Fix 0013282, 0013283: bug_actiongroup_ext_page.php LFI and XSS

High-Tech Bridge SA Security Research Lab reported 2 issues with the
'action' parameter to bug_actiongroup_ext_page.php

Issue 0013282

XSS issue with require_once() call failures returning an unescaped
user-supplied filename. There has been a fair amount of recent public
talk about PHP error messages being a source of XSS issues. This is an
example.

Issue 0012283

Local file inclusion/path traversal vulnerability on web servers that
allow translations like:
http://example.com/directory/file.htm/../file2.htm ==>
http://example.com/directory/file2.htm

Vulnerable (default configuration): Apache
Not vulnerable (default configuration): nginx

This issue has SEVERE consequences for people using web servers which
don't check each segment of a path from top to bottom for validity. It
shouldn't be possible to include the contents of config_inc.php to
retrieve MantisBT database passwords because
require_once('config_inc.php') will parse the document as a PHP script
(echoing nothing). However it may allow attackers to view private files
accessible to the web server user account. It also allows an attacker to
guess the file structure of a server (existence of installed software,
user accounts, etc).

nginx will produce a 404 error when it determines that file.htm is not a
directory. This makes too much sense, doesn't it?