Make sure /var/www/attachment is writeable to the user running pipe and also make sure that attachments are readable by the webserver. A very crude way of ensure this is like this:
./api/pipe.php:
112 if($filename && $cfg->canUploadFileType($filename)) {
113 $ticket->saveAttachment($filename,$part->body,$msgid,'M');
114 system("chmod 666 /var/www/attachment/*");
115 }