flsearch.pl in FtpLocate 2.02 allows remote malicious users to execute arbitrary commands via shell metacharacters in an HTTP GET request.