If virtual hosts are usid it's possible to traverse directories with …/ in Host: header.
vulners.com/securityvulns/securityvulns:doc:5336