osCommerce versions 2.x suffer from a directory traversal attack that allows for access to directories outside of the webroot. Besides using the download action, the read action is also usable.
9255249c2dea8f5cc5f61abe23ffc78055c3336e0b338f722ef32a8fb85d6493