PHP remote file inclusion vulnerability in childwindow.inc.php in Popper 1.41-r2 and earlier allows remote attackers to execute arbitrary PHP code via the form parameter.
http://securitytracker.com/id?1014116
http://secunia.com/advisories/15584
http://marc.info/?l=full-disclosure&m=111801389729155&w=2
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034425.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034408.html