In the php script pafiledb.php the value $action is used, but not declared. This can be exploited to insert arbitrary PHP code to be executed on the server from a web request.
As of March 31st 2005 PHP arena has announced that "Some security holes" have been closed. It does not name the specific holes however.
It is suggested by the discoverer of this vulnerability that removing line 25 of the script pafiledb.php resolves this issue.