There is a vulnerability in the osCommerce's File Manager that allows an attacker to retrieve arbitrary files from the webserver that reside outside the bounding HTML root directory.