[原文]Direct static code injection vulnerability in add_link.txt in daverave Link Bank allows remote attackers to execute arbitrary PHP code via the url_name parameter, which is not sanitized before being stored in links.txt, which is later used in an include statement.
Link Bank iframe.php Multiple Variable Arbitrary PHP Code Injection
Remote / Network Access
Loss of Integrity
Link Bank contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when malicious code is passed into the 'url_name' and 'url' parameters when adding links. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.