In the function decodeString() you can jump over the terminating zero byte, if you place the '%' character at the right (wrong) place, and access the memory after it.
For example if you run the following command, it will output your first environment variable:
httpd -d "%20%8"; echo
This function is used in the handleIncoming(), too. This is maybe a security risk, so it sould better be fixed soon. I have write a patch that correct it and attach it to this bug report.
Sorry, for my bad english. I hope you can understand it.
httpd_bufferoverflow.patch [^] (1,155 bytes) 12-23-05 06:35 httpd_bufferoverflow2.patch [^] (1,197 bytes) 12-23-05 06:47 
