[原文]upload.php in YaPiG 0.92b, 0.93u and 0.94u does not properly restrict the file extension for uploaded image files, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code.
YaPiG contains a flaw that may allow a malicious user to execute arbitrary code. The issue occurs because the upload image functionality does not validate file extensions for user-supplied files. If an authenticated user uploads an executable file instead of an image file, it may be possible to execute arbitrary PHP code resulting in a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.