Web Shopper remote file retrieval

Byte's Interactive Web Shopper (shopper.cgi) allows for retrieval of arbitrary files from the web server. Both Versions 1.0 and 2.0 are affected. Example: GET /cgi-bin/shopper.cgi?newpage=../../../../etc/passwd will return /etc/passwd.
Uncomment the #$debug=1 variable in the script so that it will check for, and disallow, viewing of arbitrary files.