thttp supports virtual hosts, which is a web server configuration allowing multiple web sites to be hosted on the same server.
mini_httpd is another Unix web server by the same developers as thttpd. It was developed mainly for experimentation.
5/7/03
CAN 2002-1562
If virtual hosting is enabled, a remote attacker could view
files outside of the web root directory by supplying an
HTTP Host: header containing slash-dot-dot
(/..) sequences. If thttpd is run with
chroot, an attack would be limited to the
top of the chroot tree. Otherwise, the attacker
could view any file on the entire disk.
CAN 1999-1457
CVE 2000-0359
thttpd versions prior to 2.0.5 are affected by
a buffer overflow in the tdate_parse function.
A remote attacker could execute arbitrary commands by
including a long, specially crafted value in the
If-Modified-Since: header within an HTTP
request.
CAN 2001-0892
When the chroot option is enabled,
thttpd does not properly handle requests for protected files.
By appending a trailing slash to a request, a remote attacker
could view files which should not be readable, such as files
in password protected directories.
The buffer overflow in date parsing was posted to Bugtraq.
The permissions bypass vulnerability was posted to Bugtraq.