DSecRG Advisory #DSECRG-08-026 aka -018 describes a remote directory traversal
exploit which appears to _only_ have been fixed for DOSISH systems using \'s.
See http://www.securityfocus.com/archive/1/489205 for details.

When one runs

    telnet webrick-server
    GET //../../../../../../../../../etc/passwd HTTP/1.0

/etc/passwd is shown (=bad). This means that e.g. ruby-1.8.5-p115 is still
vulnerable on UNIX.

-- 
Jos Backus
jos at catnook.com