Guestbook CGI contains a flaw that may allow a remote attacker to arbitrary execute commands. The problem is that the script does not validate user-supplied input, which may allow a remote attacker to execute arbitrary commands with the privileges of the Web server resulting in a loss of integrity.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround:
Turn off the use of HTML in your guestbook with the line
$allow_html = "no";
or add the SSI keyword "exec" to the @bad_words array using the syntax:
@bad_words = ("exec");