A low privileged remote attacker can run the webshell with an empty command containing whitespace. The server will then block until it receives more data, resulting in a DoS condition of the websserver.
Credits
D. Blagojevic, S. Dietz, F. Koroknai, T. Weber from CyberDanube
