Sambar Server prior to 6.0 beta 6 allows remote malicious users to obtain sensitive information via direct requests to the default scripts (1) environ.pl and (2) testcgi.exe.