When the default servlet in Apache Tomcat returned a redirect to a directory a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.