Auction Weaver Lite contains a flaw that allows an attacker to access arbitrary files. The issue is due to the auctionweaver.pl script not sanitizing input to the "username" or "bidfile" form fields. By providing carefully crafted arguments with a directory traversal style argument (../../), an attacker can request arbitrary files outside the web path.
Upgrade to version 1.05 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.