/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
https://github.com/intelliants/subrion/issues/801
http://packetstormsecurity.com/files/173998/Intelliants-Subrion-CMS-4.2.1-Remote-Code-Execution.html
http://packetstormsecurity.com/files/162591/Subrion-CMS-4.2.1-Shell-Upload.html