[原文]Direct code injection vulnerability in Task Manager in Invision Power Board 2.0.1 allows limited remote attackers to execute arbitrary code by referencing the file in "Task PHP File To Run" field and selecting "Run Task Now".
Invision Power Board Task Manager Arbitrary File Execution
Remote / Network Access
Loss of Integrity
Invision Power Board contains a flaw that allows a remote attacker with access to the admin console to execute arbitrary programs as the Apache user. The issue is due to the Task Manager 'Task PHP File To Run' field not requiring task files end with a the ".php" extension, which could allow other types of files, or files uploaded via the bulletin board, to be executed.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.