low: Directory listing
CVE-2006-3835
This is expected behaviour when directory listings are enabled. The
semicolon (;) is the separator for path parameters so inserting one
before a file name changes the request into a request for a directory
with a path parameter. If directory listings are enabled, a diretcory
listing will be shown. In response to this and other directory listing
issues, directory listings were changed to be disabled by default.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.31
important: Denial of service
CVE-2005-3510
The root cause is the relatively expensive calls required to generate
the content for the directory listings. If directory listings are
enabled, the number of files in each directory should be kepp to a
minimum. In response to this issue, directory listings were changed to
be disabled by default. Additionally, a
patch has been proposed that would improve performance, particularly
for large directories, by caching directory listings.
Affects: 4.0.0-4.0.6, 4.1.0-4.1.31