The Hardened-PHP Project has released a new vulnerability for the PHProjekt groupware software.
While searching for applications that are vulnerable to a new class of vulnerabilities inside PHP applications we took a quick look into the current PHProjekt source code and discovered that a (remote) include vulnerability had been (re)introduced.
By overwriting a variable with user input it is possible to inject and execute arbitrary PHP code. Overwriting this variable is possible regardless of the register_globals setting.
They give a few more details further down the posting and note that users should download and install the latest version (at the time of this post, 5.1.2).