W3Mail multiple bugs

delete.cgi invokes external program though system() call without escaping shell characters. It's possible to change server configuration without administrator's permissions. All passwords are stored in Base64 encoding.