[原文]Directory traversal vulnerability in website.php in openEngine 1.8 Beta 2 and earlier allows remote attackers to list arbitrary directories and read arbitrary files via a .. (dot dot) in the template parameter.
openEngine website.php template Parameter Local File Inclusion
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
openEngine contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to website.php not properly sanitizing user input supplied to the 'template' variable. This may allow an attacker to view arbitrary files or include a file from the local host that contains arbitrary commands which will be executed by the vulnerable script.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.