Squito Gallery contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to photolist.inc.php not properly sanitizing user input supplied to the 'photoroot' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Set "register_globals" to "Off".