ScanAlert Security Advisory: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0467.html Apache Tomcat can be forced to reveal a complete directory listing for any directory by requesting a mapped file extension prepended with a semicolon, a reserved character. The file does not need to exist.
Check bug 201915 for additional information.