OmniHTTPd 2.0.8 and previous versions allow remote malicious users to obtain source code via a GET request with the URL-encoded symbol for a space (%20).
source: wwwsecurityfocuscom/bid/2788/info
Submitting a specially crafted GET request for a known file (php, pl, or shtml), could cause OmniHTTPD to disclose the source code of the requested resource The GET requested would have to be appended with the Unicode equivalent of a space
Example:
GET /filenamephp%20
...