PHP remote file inclusion vulnerability in _includes/settings.inc.php in Ajax File Browser 3 Beta allows remote attackers to execute arbitrary PHP code via a URL in the approot parameter.