hmm... i think $include_dir has been declare.. $include_dir = "./include"; <--- there is patch $language_dir = "./languages"; include "$include_dir/index_header.inc"; so i think this not Vuln..