Bad Bad Theme: Fail with file_get_contents()

This one is so dangerous it’s almost awesome.

header('Content-Type: text/xml'); 
$url = $_GET['url']; 
$data = file_get_contents($url); 
echo $data; 

The code is blindly accepting anything that is posted via the url query parameter, making it possible for someone to inject just about any code they wished by simply passing it in the URL.

Submitted by Stephanie Leary.