delete.cgi invokes external program though system() call without escaping shell characters. It's possible to change server configuration without administrator's permissions. All passwords are stored in Base64 encoding.
vulners.com/securityvulns/securityvulns:doc:4625