Several web applications I tested have the behavior that reserved Windows filenames such as AUX, CON, NUL, PRN, COM1, LPT1 have different behavior than other pages. For example, http://example.com/foo
will give a 404, where http://example.com/aux
will give an 500 error.
What causes this behavior? Does this indicate a security problem?