thttpd ssi file retrieval

Summary
The remote HTTP server allows an attacker to read arbitrary files on the remote web server, by employing a weakness in an included ssi package, by prepending pathnames with %2e%2e/ (hex- encoded ../) to the pathname. Example: GET /cgi-bin/ssi//%2e%2e/%2e%2e/etc/passwd will return /etc/passwd.
Solution
upgrade to version 2.20 of thttpd.