WebCalendar 0.9.34 and earlier with 'browsing in includes directory' enabled allows remote attackers to read arbitrary include files with .inc extensions from the web root.
http://www.securityfocus.com/bid/4961
http://www.iss.net/security_center/static/9296.php
http://sourceforge.net/project/shownotes.php?group_id=3870&release_id=93295