Hello,

Just encountered an interesting thing while browsing Sugar plugins on SugarForge. From this example it seems that files with *.php extension get executed on the dl.sugarforge.org server instead of raw output. This may cause a security risk.