CVE-2006-3835

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions prior to 5.5.17

Description The issue allows remote attackers to list directories by inserting a semicolon (;) before a filename with a mapped extension. This is possible because the semicolon is used as a separator for path parameters, which changes the request into a directory request with a path parameter. If directory listings are enabled, a directory listing will be shown. This behavior was considered a security concern and led to changes in the default settings.

Recommendations For Apache Tomcat versions prior to 5.5.17, consider disabling directory listings to minimize the risk of exploitation. As a permanent fix, update to version 5.5.17 or later, where directory listings are disabled by default.