Directory traversal in cgi-bin/img.pl requires no authentication.
vulners.com/securityvulns/securityvulns:doc:9634