The flaw exists because the pm_path parameter is not verified in the lib.inc.php script prior to being used in include statements. The attacker may then submit paths to malicious PHP code stored on a separate server.
Any code that is executed does so with the file permissions assigned to the web server. In the case of a default Apache installation, it would be the unprivileged account nobody. Other web servers or customized Apache installations could operate using different accounts, some of which may be privileged.
Proof-of-concept code has been made publicly available. The code demonstrates the method used to specify the remote location of the PHP script within a URL that is to be
executed by pMachine.