CVE-2007-6405

Name of the Vulnerable Software and Affected Versions Sergey Lyubka Simple HTTPD (shttpd) versions 1.38 and earlier

Description The issue allows remote attackers to download arbitrary CGI programs or scripts via a specially crafted URI. This can be achieved by appending certain characters to the URI, including (1) '+' character, (2) '.' character, (3) %2e sequence (hex-encoded dot), or (4) hex-encoded character greater than 0x7f.

Recommendations For versions 1.38 and earlier, update to a version later than 1.38 to resolve the issue. As a temporary workaround, consider restricting access to CGI programs or scripts to minimize the risk of exploitation. Avoid using the affected URI patterns in the shttpd server until the issue is resolved.