source: http://www.securityfocus.com/bid/762/info

Certain versions of the AN-HTTPd server contain default CGI scripts that allow code to be executed remotely. This is due to poor sanity checking on user supplied data. 

http://www.xxx.yy/cgi-bin/input.bat?|dir..\..\windows