download_script.asp in ASP Folder Gallery allows remote attackers to read arbitrary files via a filename in the file parameter.