kaeverens
commented
8 years ago Nice catch. To be honest, I think it might be time to shut this project down. I haven't done anything on it in years.
Open BeLove opened 8 years ago
kaeverens
commented
8 years ago Nice catch. To be honest, I think it might be time to shut this project down. I haven't done anything on it in years.
BeLove
commented
8 years ago Probably. I found it randomly - https://searchcode.com/?q=shell_exec (first result)
Hey Seems it is possible to execute custom OS command thru https://github.com/kaeverens/kvwebme/blob/master/install/theme-upload.php#L96
$_FILES[ 'theme-zip' ][ 'name' ] - it's just a HTTP POST param that can be controlled via request from user.