The get_url function in DODS_Dispatch.pm for the CGI_server in OPeNDAP 3 allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.