PHP remote file inclusion vulnerability in index.php in TotalCalendar 2.30 and earlier allows remote attackers to execute arbitrary code via a URL in the inc_dir parameter, a different vector than CVE-2006-1922.
https://www.exploit-db.com/exploits/1753
https://exchange.xforce.ibmcloud.com/vulnerabilities/25878
http://www.securityfocus.com/archive/1/431866/30/5370/threaded
http://sweetphp.com/nuke/index.php
http://sweetphp.com/files/downloads/patches/TotalCalendar/Security_Patch.zip