Versions of W3Mail 1.0.6 and greater are susceptible to a file disclosure vulnerability. To view attachments, the script "viewAttachment.cgi" accepts the parameter "file". The value of this parameter is passed to the open() function as the filename argument without being sanitized. Attackers may cause any file on the filesystem to open by specifying its relative path using directory traversal characters.
W3Mail contains a flaw that allows a REMOTE attacker to traverse outside of a restricted path. The issue is due to the SCRIPT not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the file parameter. This directory traversal attack would allow the attacker to retrive arbitrary files.
Upgrade to version 1.0.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.