PHP remote file inclusion vulnerability in common.php in PHP Photo Album allows remote attackers to execute arbitrary PHP code via a URL in the db_file parameter. NOTE: CVE disputes this vulnerability, because versions 0.3.2.6 and 0.4.1beta do not contain this file. However, it is possible that the original researcher was referring to a different product
http://www.securityfocus.com/archive/1/462802/100/0/threaded
http://www.securityfocus.com/archive/1/462559/100/0/threaded
http://www.attrition.org/pipermail/vim/2007-March/001432.html