PHP remote file inclusion vulnerability in master.php in OpenPHPNuke and 2.3.3 earlier allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter.