Pierre-Alain Joye picked this one up last week, and it needs repeating. For PHP6 the following are already gone from CVS:
As blogged a while back, you’ll find these changes discussed here. Nice use of carrot and stick in fact – for the pain on fixing your apps to run under PHP6, you get Unicode.
Update: just noticed a new ini setting here;
allow_url_include “0” PHP_INI_SYSTEM Available since PHP 6.0.0.
Excellent! That eliminates another major source of exploits (perhaps the biggest) – have moaned about that before here and here