viewvc 1.0.3 allows improper access control to files in a repository when using the "forbidden" configuration option.