Spammers and crackers seem to really like this line in common.php:
include_once( $env['rootPath'].'/include/adodb/adodb.inc.php' );
When they call the script like e.g.:
They can execute all sorts of PHP code inside your server installation !
- This assumes, of course, that register_globals and allow_url_fopen are both on...