PHP remote file inclusion vulnerability in Ottoman 1.1.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the default_path parameter in (1) error.php, (2) index.php, and (3) classes/main_class.php.
https://www.exploit-db.com/exploits/1854
https://exchange.xforce.ibmcloud.com/vulnerabilities/26894