init.php in WebCalendar allows remote attackers to execute arbitrary local PHP scripts via the user_inc parameter.Referenceshttp://marc.info/?l=bugtraq&m=110011618724455&w=2http://www.securityfocus.com/bid/11651https://exchange.xforce.ibmcloud.com/vulnerabilities/18028http://secunia.com/advisories/13164
