Posted by Finbar Crago on Oct 19

cgiecho a script included with cgiemail will return any file under a
websites document root if the file contains square brackets and the
text within the brackets is guessable.

e.g: http://hostname/cgi-sys/cgiecho/login.php?’pass’=[‘pass'] will
display http://hostname/login.php if it contains $_POST[‘pass’]

This behaviour is listed as a ‘small risk’ in the original
documentation (and back in 1998 it…