You're probably fooling youself a bit... The first stage in almost any cgi exploit is to find a way to read the source code. There are lots of ways to do this, but a classic one is to use one insecure CGI to read the source of another. I frequently get entries in my access_log that look like this:

GET http://whatever.com/cgi-bin/some.cgi?file=../cgi-bin/someother.cgi
[download]

If the author of some.cgi wasn't careful, its possible that some.cgi will spit back the source to someother.cgi.

-Blake