Super-interesting: http://www.sitepoint.com/blogs/2006/10/06/php-mapreduce/ Clicking "This search" in that article, I found the exact code at issue in this Hackers thread. Fortunately the $_GET parameter is appended to a known path, rendering this exploit unusable. Cheers, Andy