It's possible to access script code if cgi-bin is within DocumentRoot.
vulners.com/securityvulns/securityvulns:doc:13856