It seems to me that module yaws_ctl is insecure. Now
possible for local user to find yaws_ctl socket
(usually there are
only a few sockets which listen on localhost) and send
the command to
yaws_ctl, for example stopping the server (DoS attack).
The patched Yaws uses simple cookie-based
authentication. Cookie is
stored in the same file as the port to connect. So, to
be able to
control Yaws the attacker must read the Yaws control file.