Directory traversal vulnerability in MP3Mystic prior to 1.04b3 allows a remote attacker to download arbitrary files via a '..' (dot dot) in the URL.
https://exchange.xforce.ibmcloud.com/vulnerabilities/6504
http://archives.neohapsis.com/archives/bugtraq/2001-05/0046.html