viewrq.php in nweb2fax 0.2.7 and earlier allows remote attackers to execute arbitrary code via shell metacharacters in the var_filename parameter in a (1) tif or (2) pdf format action.Referenceshttps://www.exploit-db.com/exploits/5856http://www.securityfocus.com/bid/29804https://exchange.xforce.ibmcloud.com/vulnerabilities/43174
