In the EyesOfNetwork web interface (aka eonweb) 5.1-0, module\toolall\tools\interface.php does not properly restrict exec calls, which allows remote attackers to execute arbitrary commands via shell metacharacters in the hostlist parameter to module/toolall/selecttool.php.