[Ene]

1. This mod doesn't have a security hole. If it were the case, I'd have contacted the mod`s author first privately to get it fixed and to have a security patch released.

However the code is potentially insecure. Let me explain.

If you include any file the name and path of which you get from the GET variables, you're in danger. You should be as paranoid as you can and verify/sanitize the variables thoroughly.

What's the correct way? We create a white-list of possible symbols and remove all the symbols which are not in this list. If somebody (e.g. curious hacker) inserts something wrong, we should:

1) Log his request, IP and notify the store owner.
2) die() immediatly


What's happens in the ARS` mod at this moment? They use the another approach: the black list. I.e. they remove the dangerous symbols only ("..") and leave the rest unchanged.
This way is much less secure than the white-list one.

Many things may happen: PHP can get a bug with file including, you can move your blog to another place, your web developer may re-use this code for another project. And potentially this code can play a bad game.

When developer creates a code for an e-commerce site, which works with sensitive customer data, he/she must think about these things.

2. Showing static resources using dynamic scripts is a big no-no.
For example such resources will have no caching headers.

Well, if you don't have many customers, maybe it will work. However as soon as you get some traffic, it will be necessary to optimize it.