[原文]PHP remote file inclusion vulnerability in prepend.php in Plume CMS 1.0.2, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the _PX_config[manager_path] parameter. NOTE: this is a different executable and affected version than CVE-2006-2645.
Plume CMS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to prepend.php not properly sanitizing user input supplied to the "_PF_CONFIG['manager_path']" variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.