Re: "HitWeb v3.0 - Remote File Include Vulnerabilities" report on Bugtraq, and also BID: 20060. index.php says this before anything else: include "conf/hitweb.conf" ; and that conf file says: $REP_CLASS = 'class'; I didn't check the other files. Stuart