Here's the email.

One of our subscribers has reported a security vulnerability with your product. The description of this vulnerability is attached below. We would like to know if you are aware of this problem, and whether you have some solution for it.

Description
At your browser, type simply
http://yourdomain/random_banner/index.cgi?image_list=alternative_image.list& html_file=../../../../../etc/passwd

should view passwd file as user nobody. (if server is serving page as user nobody ...)

I have try to execute a command with |, but it will not work always, because the script is running standard with -T option #!/usr/bin/perl -T, you can first view the script code with above way, check if there is a -T option, if not, you can execute any command as nobody user ( ....&html_file=|ls -la| )

Solution
A snippet of script index.cgi at line 195 without comments

---[ line 195 + ]-------------------------------------------------

open (HTML_VIRTUAL, "$html_file") ||
       &CgiDie (" blablabla... ");
while ()
{
if (/\<!--IMG GOES HERE--\>/)
{
  print qq!
  <A HREF = "$random_url">
  <IMG SRC = "$image_url/$random_image"></A>!;
} else

  print "$_";
  }
  }
  close (HTML_VIRTUAL);

  $html_file =~ s/\%([\d\w]{2})/pack('c',hex($1))/gie;

  if( $html_file =~ /\.\.\/|\|/ )
  {
  &CgiDie( "Not allowed... " );
  } else {
  open (HTML_VIRTUAL, "$html_file") ||
  &CgiDie ( "I'm sorry, but I was unable to open the requested
  HTML file in the Insert Random Banner Into Page routine.  The
         value I have is $html_file.  Would you please check the path and
          the permissions for the file." );
  while ()
  {
  if (/\<!--IMG GOES HERE--\>/)
  {
  print qq!
  <A HREF = "$random_url">
  <IMG SRC = "$image_url/$random_image"></A>!;
  } else
 
  print "$_";
  }
  }
  close (HTML_VIRTUAL);
  }