Trac's wiki and ticket systems allows to add attachments
to wiki entries and bug tracker tickets. These attachments
are stored within directories that are determined by the
id of the corresponding ticket or wiki entry.
Due to a missing validation of the id parameter it is
possible for an attacker to supply arbitrary paths to the
upload and attachment viewer scripts. This means that a
potential attacker can retrieve any file accessible by the
webserver user.
Additionally it is possible to upload arbitrary files (up
to a configured file length) to any place the webserver
has write access too.
For obvious reasons this can lead to the execution of
arbitrary code if it possible to upload files to the
document root or it's subdirectories. One example of a
configuration would be f.e. running Trac and
s9y/wordpress with writeable content directories on the
same webserver.
Another potential usage of this exploit would be to abuse
Trac powered webservers as storage for f.e. torrent
files.