AN HTTPD 1.42n, and possibly other versions before 1.42p, allows remote attackers to obtain source code of scripts via crafted requests with (1) dot and (2) space characters in the file extension.
https://exchange.xforce.ibmcloud.com/vulnerabilities/25591
http://www.vupen.com/english/advisories/2006/1200
http://www.securityfocus.com/bid/17350
http://www.securityfocus.com/archive/1/429667/100/0/threaded
http://securitytracker.com/id?1015858