Requesting a URL with '%00', '%2e', '%2f' or '%5c' appended to it makes some WebLogic servers dump the listing of the page directory, thus showing potentially sensitive files. An attacker may also use this flaw to view the source code of JSP files, or other dynamic content. Reference : http://www.securityfocus.com/bid/2513

upgrade to WebLogic 6.0 with Service Pack 1