Spent the better part of the day cleaning up old websites we host after a rootkit on our webserver took down our network. Apparently, someone had made it standard practice in their web site design to have exactly one PHP page that "includes" every other page on the site using $QUERY_STRING as the file name. Not only was it a vulnerability, it was frelling unmaintainable. Luckily for me no one has ever requested changes.
A word of warning to anyone using PHP on their webserver: don't use $QUERY_STRING (or any $_GET or $_POST variables for that matter) in an include() without checking for taintedness first. Cross-site scripting attacks may be old news, but it seems that it is gaining renewed interest from script kiddies, and until today I didn't even know include() was vulnerable.