Input passed to the "phpbb_root_path" parameter in "auction/auction_common.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

The vulnerability, discovered by VietMafia, has been confirmed in version 1.3m. Other versions may also be affected.

Protection / Solution
1. Disable "register_globals"
2. Edit the source code to ensure that input is properly verified.

via Pridels