diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index dc3f1866382..1898b50e693 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -67,7 +67,9 @@ $conffiletoshow = "htdocs/conf/conf.php";
 
 // Include configuration
 // --- End of part replaced by Dolibarr packager makepack-dolibarr
+
 // Replace conf filename with "conf" parameter on url by GET
+/* Disabled. This is a serious security hole
 if (! empty($_GET['conf']))
 {
 	$confname=basename($_GET['conf']);
@@ -77,7 +79,7 @@ if (! empty($_GET['conf']))
 	$confname=basename(empty($_COOKIE['dolconf']) ? 'conf' : $_COOKIE['dolconf']);
 	$conffile = 'conf/'.$confname.'.php';
 }
-
+*/
 
 // Include configuration
 $result=@include_once $conffile;	// Keep @ because with some error reporting this break the redirect