classifieds.cgi allows remote attackers to execute arbitrary commands by specifying them in a hidden variable in a CGI form.