The "exploit" is at http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/49421
This seems to be a (very) false alarm. How does having a $filename argument in a function in a file containing only a class cause the function to be called when the file is called with a $_GET filename=... argument? Even if register_globals was enabled, this will obviously not call the function. And the scope of the function would make the name clash harmless. So in short, the "vulnerability" author Sp1deR_NeT has zero clue. And I wonder why this Debian bug has not been closed already. Hilsen Thue