Index: repository/web/includes/functions.php
===================================================================
--- repository.orig/web/includes/functions.php	2013-02-12 21:02:00.511508003 +1100
+++ repository/web/includes/functions.php	2013-02-12 21:19:44.275452822 +1100
@@ -905,7 +905,7 @@
 
 function packageControl( $command )
 {
-    $string = ZM_PATH_BIN."/zmpkg.pl $command";
+    $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
     $string .= " 2>/dev/null >&- <&- >/dev/null";
     exec( $string );
 }
@@ -2145,7 +2145,8 @@
     else
     {
         // Can't connect so use script
-        $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
+        $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
+        $command .= ' --unit-code '.escapeshellarg( $key );
         //$command .= " 2>/dev/null >&- <&- >/dev/null";
         $x10Response = exec( $command );
     }
