PHP's file-based layout is one of the biggest mistakes in web security I can imagine, coupled with the lack of a built in secure file upload functions. I've seen so many websites coded with checks like "if .jpeg in filename", which is easily bypassed. Then once the file is up there you just have to navigate to it and BAM, you have RCE and a shell. Ridiculous.
I remember messing around with hack this site a long time ago. This looks like it will be a valuable lesson for all of the php devs out there who don't handle files often.