[原文]The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file.
Campas is a sample CGI script shipped with some older versions of NCSA HTTPd, an obsolete web server package. The versions that included the script could not be determined as the server is no longer maintained, but version 1.2 of the script itself is known to be vulnerable. The script fails to properly filter user supplied variables, and as a result can be used to execute commands on the host with the privileges of the web server. Commands can be passed as a variable to the script, separated by %0a (linefeed) characters. See exploit for example. Successful exploitation of this vulnerability could be used to deface the web site, read any files the server process has access to, get directory listings, and execute anything else the web server has access to.
> telnet target 80
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:/bin/false