diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index e3b8bfe695d86d5dfcf38a2c311ed41b3634539d..f4b6ab7bca3e35bb5fc471132931fbb78045047c 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -884,7 +884,7 @@ class apache2_plugin {
 			}
             
           // get the primitive folder for document_root and the filesystem, will need it later.
-          $df_output=explode(" ", exec("df -T " . $data['new']['document_root'] . "|awk 'END{print \$2,\$NF}'"));
+          $df_output=explode(" ", exec("df -T " . escapeshellarg($data['new']['document_root']) . "|awk 'END{print \$2,\$NF}'"));
           $file_system = $df_output[0];
           $primitive_root = $df_output[1];
 
diff --git a/server/plugins-available/cron_plugin.inc.php b/server/plugins-available/cron_plugin.inc.php
index 00ea6d32b60ccb558c5f033d6666cc08038f754a..c7109a562e9d949af1cc408a0d7efc8bbab42254 100644
--- a/server/plugins-available/cron_plugin.inc.php
+++ b/server/plugins-available/cron_plugin.inc.php
@@ -136,7 +136,7 @@ class cron_plugin {
             }
 
             // get the primitive folder for document_root and the filesystem, will need it later.
-            $df_output=explode(" ", exec("df -T " . $parent_domain["document_root"] . "|awk 'END{print \$2,\$NF}'"));
+            $df_output=explode(" ", exec("df -T " . escapeshellarg($parent_domain["document_root"]) . "|awk 'END{print \$2,\$NF}'"));
             $file_system = $df_output[0];
             $primitive_root = $df_output[1];