Apache webserver 2.0.52 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request with a MIME header containing multiple lines with a large number of space characters.
includer.cgi in The Includer allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the URL or (2) the template parameter.