Recently, a Local/Remote file inclusion vulnerability was reported against MindTouch 10.1.3. Though the report looks ominous, this vulnerability is only exploitable when PHP is explicitly configured to operate in an insecure manner.
The PHP setting that makes this vulnerability exploitable is register_globals = On. When register_globals is set to On, input from the client (query string parameters and cookies) are assigned to variables in PHP which can cause unexpected and very unsafe results.
Because register_globals = On is such a high security risk, the default value of the setting is "Off" since PHP version 4.2.0, has been deprecated in PHP 5.3.0 and removed entirely in PHP 5.4.0.
MindTouch has never recommened that the setting be turned on nor shipped a product with register_globals = On.