[原文]PHP remote file inclusion vulnerability in error.php in GrayCMS 1.1 allows remote attackers to execute arbitrary PHP code by modifying the path_prefix parameter to reference a URL on a remote web server that contains the code.
GrayCMS contains a flaw that may allow a remote attacker to execute arbitrary commands. If register_globals is enabled, the issue is due to "code/error.php" not properly sanitizing user input supplied to the "path_prefix" parameter. This may allow a remote attacker to send a specially-crafted URL and include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
Exploitation of this vulnerability may not be possible unless both the 'allow_url_fopen' and 'register_globals' directives are enabled in the local site PHP configuration. As a workaround, it is recommended to disable these PHP directives.