Per the following comments...
Finally, the auth.php PHP script also includes the following code:
if (($jffnms_version==0.0.0) ($_SERVER[REMOTE_ADDR]==128.30.52.13)) {
which could be considered a backdoor althought it does not appear to be
exploitable in a typical installation.
...it should be
As a result of a short security audit of JFFNMS, a number of security holes
were found, even from the perspective of a non authenticated user. The holes
included authentication bypass via SQL injection. Javascript injection and a
serious case of information disclosure. After liasing with the
