``status.php`` uses ``<name>`` component of ``/tmp/rules.packages.<name>`` filenames in shell command without encoding
If there is a file named
/tmp/rules.packages.|<command>|.txt, then when an authenticated GUI user loads
status.php, the GUI executes
In combination with another bug that lets users write arbitrary files, such as #13425, a user with sufficient privileges to access
status.php could run a command directly or trick another administrator with privileges into running a command.
The commands which work here are of limited use as other characters which might make it more useful also make it fail to trigger. Furthermore,
status.php is not linked in the GUI and is typically only run under direction of TAC, so opportunity for exploitation is fairly low.