Trac before 0.8.4 allows remote attackers to read or upload arbitrary files via a full pathname in the id parameter to the (1) upload or (2) attachment viewer scripts.
http://www.securityfocus.com/bid/13990
http://www.hardened-php.net/advisory-012005.php