We realized that although the server replaces the filename with an automatically generated name, it keeps whatever file extension the voter provided. Instead of a file ending in .pdf, we could upload a file with a name that ended in almost any string we wanted, and this string would become part of the command the server executed. By formatting the string in a particular way, we could cause the server to execute commands on our behalf. For example, the filename
ballot.$(sleep 10)pdfwould cause the server to pause for ten seconds (executing the sleep 10 command) before responding. In effect, this vulnerability allowed us to remotely log in to the server as a privileged user.