The following web servers do not properly sanitize their output when
returning a 404 resource not found error which could be used in a XSS
attack:
Orion 1.3.8 
Orion 1.4.5 
CompaqHTTPServer 2.1

PoC: http://localhost/<script>alert('XSS')</script>

--
  - Josh