It is possible to access protected web pages by changing / with // or /./ This was a bug in old versions of CERN web server A work around consisted in rejecting patterns like: //* *//* /./* */./*

Upgrade your web server or tighten your filtering rules