download.php in FD Script 1.3.2 and earlier allows remote attackers to read source of files under the web document root with certain extensions, including .php, via a relative pathname in the fname parameter, as demonstrated by downloading config.php.
https://exchange.xforce.ibmcloud.com/vulnerabilities/31915
http://www.vupen.com/english/advisories/2007/0383
http://www.securityfocus.com/archive/1/458231/100/0/threaded
http://securityreason.com/securityalert/2197