Netcruiser Web server version 0.1.2.8 and earlier allows remote attackers to determine the physical path of the server via a URL containing (1) con, (2) com2, or (3) com3.
https://exchange.xforce.ibmcloud.com/vulnerabilities/6468
http://www.securityfocus.com/bid/2650
http://archives.neohapsis.com/archives/bugtraq/2001-04/0427.html