thttpd before 2.25b-r6 in Gentoo Linux is started from the system root directory (/) by the Gentoo baselayout 1.12.6 package, which allows remote attackers to read arbitrary files.
http://www.securityfocus.com/bid/22349
http://www.gentoo.org/security/en/glsa/glsa-200701-28.xml
http://secunia.com/advisories/24018