Apache 1.3.20 with Multiviews enabled allows remote attackers to view directory contents and bypass the index page via a URL containing the "M=D" query string.
https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
http://www.securityfocus.com/bid/3009
http://www.securityfocus.com/archive/1/20010709214744.A28765%40brasscannon.net
http://www.redhat.com/support/errata/RHSA-2001-164.html
http://www.redhat.com/support/errata/RHSA-2001-126.html
http://www.apacheweek.com/issues/01-10-05#security
http://frontal2.mandriva.com/security/advisories?name=MDKSA-2001:077