Remote Command Execution
BeLove opened this issue · comments
Sergey Belov commented
Hey
Seems it is possible to execute custom OS command thru
https://github.com/kaeverens/kvwebme/blob/master/install/theme-upload.php#L96
$_FILES[ 'theme-zip' ][ 'name' ] - it's just a HTTP POST param that can be controlled via request from user.
Kae Verens commented
Nice catch. To be honest, I think it might be time to shut this project down. I haven't done anything on it in years.
Sergey Belov commented
Probably. I found it randomly - https://searchcode.com/?q=shell_exec (first result)