diatheke.pl in Sword 1.5.7a allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
https://exchange.xforce.ibmcloud.com/vulnerabilities/18997
http://www.securityfocus.com/bid/12320
http://www.debian.org/security/2005/dsa-650
http://securitytracker.com/id?1012955