eoc.py in Enemies of Carlotta (EoC) before 1.2.4 allows remote attackers to execute arbitrary commands via shell metacharacters in an "SMTP level e-mail address".