This is a falsified vulnerability. PHPWS_SOURCE_DIR and PHPWS_HOME_DIR are defined constants, not variables, and passing values in the URL has no effect on their value inside phpWebSite.