[原文]Direct static code injection vulnerability in edit.php in ACal Calendar Project 2.2.5 allows authenticated users to execute arbitrary PHP code via (1) the edit=header value, which modifies header.php, or (2) the edit=footer value, which modifies footer.php. NOTE: this issue might be resultant from the poor authentication as identified by CVE-2006-0182. Since the design of the product allows the administrator to edit the code, perhaps this issue should not be included in CVE, except as a consequence of CVE-2006-0182.
ACal contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to a user with administrative rights on the application being able to edit the source code of the 'header.php' and 'footer.php' files. This may allow an attacker to add arbitrary PHP code to either file which will be executed when the page is visited/loaded normally.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.