CVE-2010-3206 Information

Description

Multiple PHP remote file inclusion vulnerabilities in DiY-CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) lang parameter to modules/guestbook/blocks/control.block.php (2) main_module parameter to index.php and (3) getFile parameter to includes/general.functions.php.

Reference

http://packetstormsecurity.org/1008-exploits/diycms-rfi.txt http://www.exploit-db.com/exploits/14822 https://exchange.xforce.ibmcloud.com/vulnerabilities/61454