That program acts as a filter, using PATH_TRANSLATED feature to
access html files on your server tree, and it translates <! sql ...> tags
into html viewable text, letting other parts of the html file unchanged.
The problem is that www-sql performs nothing to verify if a user can
access the intended PATH_TRANSLATED file.
So, suppose your htdocs tree is /home/htdocs/
you have a subdirectory /home/htdocs/protected/ in which you have
you have restricted access using .htaccess file.
In your browser, enter URL http://your.server/protected/something.html:
you get prompted a username and a password.
Now, enter URL http://your.server/cgi-bin/www-sql/protected/something.html:
you get the requested file
www-sql is available into Incoming sunsite directory