I hate to say it, but yes, there is a way into .16 through the ever-vulnerable highlight code, which allows arbitrary execution of PHP commands. A simple MOD_REWRITE rule blocks it, disabling the PHP system() and exec() calls defang it, and removing the other security issues found in most sites makes it useless.
What are the other security issues?
- writeable temporary or other file areas that allow command execution
web server user allowed access to wget and other file fetching tools
web server user allowed to write executable files anywhere
I tested exploit code that was reported here last week. It did manage to get through PHPBB to attempt
to execute malicious code on the test server. That server doesn't have any of the issues listed above, so it did not succeed in doing anything more than make log entries.
The exploit has
been reported to the security tracker. I'm sure it is being worked on, but it's one of those "how to fix it so that it doesn't break everything else" things. Personally, I'd disable the highlight code completely, and ignore any attempt to use it, but some people desparately need it.