BadBlue 1.7.0 allows remote malicious users to list the contents of directories via a URL with an encoded '%' character at the end.
working resources inc. badblue 1.7.0