BugPort before 1.099 stores its configuration file (conf/config.conf) under the web document root with a file extension that is not normally parsed by web servers, which allows remote attackers to obtain sensitive information.
https://exchange.xforce.ibmcloud.com/vulnerabilities/15030
http://www.securityfocus.com/bid/9542