source: http://www.securityfocus.com/bid/1462/info

The HTTP interface for WorldClient 2.1 is vulnerable to a directory traversal. By requesting a URL composed of the filename and ..\ it is possible for a remote user to retrieve and dowload any file of known location.

Example: 
http://email.victim.com/..\..\..\winnt\repair\sam._