The SCADA server in Ecava IntegraXor before 4.1.4369 allows remote attackers to read arbitrary project backup files via a crafted URL.
https://www.cisa.gov/news-events/ics-advisories/icsa-14-008-01
http://www.integraxor.com/blog/category/security/vulnerability-note/