WebWho+ whois.cgi program allows remote attackers to execute commands via shell metacharacters in the TLD parameter.