BadBlue 1.7.0 allows remote attackers to list the contents of directories via a URL with an encoded '%' character at the end.
http://www.securityfocus.com/bid/4912
http://www.iss.net/security_center/static/9239.php
http://archives.neohapsis.com/archives/bugtraq/2002-06/0003.html