I doubt this in the case of the browser. Atleast as far as the parsing is concerned. There may be a buffer overflow for example,
Buffer overflow seems like a much greater concern when dealing with a server. Particularly one which is supposedly "secure", and accessing "secured" documents. Even with the server running as 'nobody' if someone can implement buffer overflow to get access to documents they shouldn't then that would count as a pretty significant hack.
Right. Some other common ones are ".." and shell meta characters in paths. Also, accessing files that you don't have permissions to. Even if the server is perfect, the setup could be bad. For instance, if you use CERN's Authentication scheme for protecting URL hierarchies, do not put the passwd/group file within the hierarchy. I've noticed this before on some servers, like http://www.isp.com/company1/passwd contains the passwd file for the http://www.isp.com/company1/ URL directory. Although it is convenient to store the passwd file within the hierarchy it is protecting, care must be taken to make it unreadable by normal HTTP requests. It's better to put it in a configuration directory somewhere where no server has access to. (I've seen this mistake plenty of times) A barebone's web server is a pretty simple piece of a software compared to a browser (or sendmail), so it should be possible to make them much more secure. -Ray