The Red Hat Apache configuration may allow an attacker to view directory listings. The problem is reported to present itself when an attacker issues an HTTP GET request to a vulnerable server containing '//' characters, evading the rule desgined to prevent Apache from displaying directory listings with a request for '/'. The server is reported to disclose directory listings even when autoindex for the root directory has been disabled and a default welcome page is supposed to be displayed.
Successful exploits will disclose sensitive information that may be useful in further attacks against the system.
This problem has been reported to exist in Apache 2.0.40 shipped with Red Hat Linux 9.0. Other versions may be affected as well.