index.php in Francisco Burzi PHP-Nuke 5.3.1 and earlier, and possibly other versions before 5.5, allows remote attackers to execute arbitrary PHP code by specifying a URL to the malicious code in the file parameter.
https://exchange.xforce.ibmcloud.com/vulnerabilities/7914
http://www.securityfocus.com/bid/3889