Apache versions 2.0.39 and prior running on systems that support backslash path delimiters contain a path disclosure vulnerability.
This vulnerability exists when a malicious user inserts a malformed string into the browser. The server returns the full path of the requested file, including where Apache is installed. This allows the attacker to see what system Apache is running, the version of Apache, and the server version. The attacker can use this information for future attacks.
Exploit code has been released to the general public that exploits Apache 2.0.39 on Windows, NetWare, OS/2, and Cygwin systems.
An upgraded version is available.