source: http://www.securityfocus.com/bid/5177/info

It has been reported that version 1.0.2 of KF Web Server discloses the contents of directories when a certain character is present in the URL.

If a remote attacker appends the "%00" character, it will cause the web server to display the contents of the current directory.

http://server_name/subdir/%00
http://server_name/%00