I'm really surprised this doesn't seem to have been posted before now. This is a classic case of a vulnerability which "requires shell access" but in fact, that means any ability to run a CGI. Some providers who don't provide SSH/Telnet access to a shell may imagine they are protected from this, but I doubt it.
