Internet Information Server - Unauthenticated Arbitrary File Read via showfile.asp File Parameter
FileSystemObject (FSO) in the showfile.asp Active Server Page (ASP) allows remote attackers to read arbitrary files by specifying the name in the file parameter.