Sh-httpd v0.3 and 0.4 contain a remote directory traversal vulnerability involving a wildcard character which allows attackers to read any file on the system and execute CGI's. Patch included.
a0ae3eee45856fba670f376c41e9f3a32c4c4558388732713876b66cc0eabf20