PhpGroupWare makes insecure calls to the include() function of PHP which can allow the inclusion of remote files, and thereby the execution of arbitrary commands on the remote web server with the permissions of the web server user, usually 'nobody'.