NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have the code executed remotely. This Metasploit module was successfully tested against NAS4Free version 9.1.0.1.804. Earlier builds are likely to be vulnerable as well.
fbb827ba13b127c83e13d52ae23cb93628f4e71810cd8f99c67c4c5a187bb5f0