A problem has been identified in the handling of some characters by sh-httpd. Because of this, an attacker may be able to gain unauthorized access to information.
sh-httpd contains a flaw that allows a remote attacker to access arbitrary files and directories outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI. It is also possible for an attacker to execute arbitrary CGI programs outside of the /cgi-bin/ directory.
Currently, there are no known workarounds or upgrades to correct this issue. However, the vulnerability reporter has released a patch to address this vulnerability.