1. Login to Geoserver web panel
2 Go to Settings - Global
3. Change logging profile to QUIET_LOGGING.properties
4. Change log location: replace "logs/geoserver.log" to "/etc/passwd"
5. Go to Geoserver Logs
Result: you will see "/etc/passwd" (and even download whole file by link below log text)
So it's possible to read and display any local file from server with only geoserver web interface