ViewVC before 1.0.5 provides revision metadata without properly checking
whether access was intended, which allows remote attackers to obtain
sensitive information by reading (1) forbidden pathnames in the revision
view, (2) log history that can only be reached by traversing a forbidden
object, or (3) forbidden diff view path parameters.