Well darn

Ok @ deviance on some servers i have it compiled with php4 + php5 and enhanced the security on both of them

The reason as to why i think it is blocking it is because of mycrypt i dont fully understand it yet but by the looks of it it looks like its checking bytes by 29 and 36 or 30 if you run a script and it doesnt compare to those it does not execute

by using ../../../../ it will block it but if we encode you can try and use

%20/% followed by the /etc/passwd


Thats just a theory if we take a look at how the transversial is even executing we can look here

If we tried to inject this code onto ?wwwRoot it would not work why? beacuse wwwRoot is basically a addon to the variables to config.php killthread.php and basedir so if executing a load o f include functions of config / killthread was not found

But in the variable baseDir it connects all the variables together making it the big guy

Code: 
$baseDir = substr($wwwRoot, 0, ##BASEDIR##);
    require($baseDir . 'funcs.inc');
    require($baseDir . 'config.php');

Any other ideas can be great i will be testing this script for javascript injection and other stuff later on today