faqmanager.cgi in FAQManager 2.2.5 and earlier allows remote attackers to read arbitrary files by specifying the filename in the toc parameter with a trailing null character (%00).
http://www.securityfocus.com/bid/3810
http://www.iss.net/security_center/static/7833.php
http://archives.neohapsis.com/archives/bugtraq/2002-01/0065.html