PHProjekt is a modular groupware web application used to coordinate group activities and share files.
cYon discovered that the authform.inc.php script allows a remote user to define the global variable $path_pre.
A remote attacker can exploit this vulnerability to force authform.inc.php to download and execute arbitrary PHP code with the privileges of the web server user.
There is no known workaround at this time.
All PHProjekt users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/phprojekt-4.2-r2"