Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2353 to the following vulnerability: Name: CVE-2009-2353 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2353 Assigned: 20090707 Reference: BUGTRAQ:20090702 eAccelerator encoder files backup Vulnerability Reference: URL: http://www.securityfocus.com/archive/1/archive/1/504695/100/0/threaded encoder.php in eAccelerator allows remote attackers to execute arbitrary code by copying a local executable file to a location under the web root via the -o option, and then making a direct request to this file, related to upload of image files. Looking quickly at this package, encoder.php is only included in the documentation directory, so there seems to be little chance of it being available by default or accidentally. Unfortunately, there is only the report (with few usable details) and no upstream activity/response regarding this issue.
Looks like this file was removed upstream in 0.9.6rc1: http://eaccelerator.net/wiki/Release-0.9.6-rc1 We have 0.9.6.1 in all supported versions of Fedora, meaning this is no longer an issue.