How about a very simple suggestion to cure the problem - comment out the body code of ParseAuth:
static void
ParseAuth(Conn *connPtr, char *auth)
{
#if 0
......
#endif
}
This of course disables any authorisation.
If you don't use authorisation and have not planned an upgrade to a later release of AOLserver then this gives a quick fix to the security problem.
This still leaves the problem in the TCL ns_uudecode function.
Andy