PHP remote file include vulnerability in Yawp library 1.0.6 and earlier, as used in YaWiki and possibly other products, allows remote attackers to include arbitrary files via the _Yawp[conf_path] parameter.
http://www.securityfocus.com/bid/14237
http://www.securityfocus.com/archive/1/404948
http://www.hardened-php.net/advisory-102005.php