what is the web folder setting for the app?
It shouldn't be serving _anything_ that is not inside the web folder, unless you're doing a specific handling of the file using a technique like in example 40 (FileDownload). And even that should be done _very_ carefully - ideally using some random hash as a substitute for the file name.
putting a full path name in the URL is _definitely_ a bad idea. That means any user can fetch literally any file on your server. (including password files, data files and so on).
Cheers
Bruce