Zeus web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL.