Multiple Format String Bugs found in Xitami 2.5c2.
"Multiple format string vulnerabilities have been found in xitami, allowing a malicious user to execute arbitrary code, or at least cause a DoS attack, on a target machine running a vulnerable version of Xitami Web Server. More technical details, together with a possible fix, are provided at the link below.
The best/easiest solution to these problems is probably to locate all calls to send_fmt() and change them from something like:
sendfmt (&operq, "ERROR", server_message);
sendfmt (&operq, "ERROR", "%s", server_message);"