Bugtraq mailing list archives
Viewable .jhtml source with JavaWebServer
From: brian () KRAHMER COM (Brian Krahmer)
Date: Wed, 16 Jul 1997 14:01:05 -0500
It has been discovered by Min Chang that there is a security vulnerability in the 1.1Beta version of JavaWebServer for win32. Similar to the IIS viewable source bug, if you append a '.' (period) or a '\' (backslash) to a .jhtml URL, the server will display the source. .jhtml files are html files with embedded Java code that are supposed to be compiled and returned to the client (sans the java code). Because these files can have things like jdbc queries or important server filenames embedded in them, it is a security risk. examples: http://localhost/xyz.jhtml. or http://localhost/xyz.jhtml\ brian -- Brian Krahmer - brian () krahmer com - http://www.krahmer.com President, Network Guardians, Inc. Makers of NetGuard. 1.0 release coming after the new year! http://www.net-guards.com
Current thread:
- Viewable .jhtml source with JavaWebServer Brian Krahmer (Jul 16)