O'Reilly Website Professional 2.5.4 and earlier allows remote attackers to determine the physical path to the root directory via a URL request containing a ":" character.
https://exchange.xforce.ibmcloud.com/vulnerabilities/3839
http://archives.neohapsis.com/archives/bugtraq/2001-03/0236.html