{proxy,chpasswd}.cgi: Fix a remote code execution vulnerability

Handcrafted requests with shell commands could be sent to these
CGI files and gain shell access as unprivileged user.

References: #11087

Reported-by: Yann Cam <yann.cam@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

html/cgi-bin/proxy.cgi

@@ -27,6 +27,7 @@
 #
 
 use strict;
+use Apache::Htpasswd;
 
 # enable only the following on debugging purpose
 #use warnings;
@@ -4134,7 +4135,9 @@ sub adduser
 		close(FILE);
 	} else {
 		&deluser($str_user);
-		system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass");
+
+		my $htpasswd = new Apache::Htpasswd("$userdb");
+		$htpasswd->htpasswd($str_user, $str_pass);
 	}
 
 	if ($str_group eq 'standard') { open(FILE, ">>$stdgrp");