The $page variable in Hassan Consulting Shopping Cart does not properly check for insecure relative paths such as the double dot "..". Therefore, requesting the following URL will display the specified file:
Successful exploitation could lead to a remote intruder gaining read access to any known file.
Hassan Shop Cart contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the "shop.cgi" not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "page" variable.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.