Re: Heavy Security Issue

[Saqib Ali <docbook.xml () gmail com>]

Two questions:

1) I don't think Apache is serving your JSP pages. There has to be
Java Servlet engine (Tomcat, Resin etc), that is processing the
request? Can you please tell use engine you are using and version as
well. It would be better if you can send us the real URLs.

2) When you say "source code" do you mean the ram JSP source code, or
the processed HTML? I have seen some cases where you get the processed
HTML, which is no big deal, and certaily not a security issue. However
if you getting raw JSP source-code, then it is certainly an issue.

If you tell me the verion # etc of the Java servlet engine, I can test
it in the my Lab.

> I have an apache server and an app. running on it, but
> I recently found a little problem that consist in the
> following:
>
> - When I make a request for the following JSP for
> example:
> http://XX.XX.XX.XX:8081/en/dynapage/scripts/page.jsp
> the Jsp is interpreted and the request is successful
> an html is displayed in the browser.
>
> - But at the time I add a forward slash ether after
> the "en" or "dynapage" for example request must look
> as the following:
> http://XX.XX.XX.XX:8081/en//dynapage/scripts/page.jsp
> http://XX.XX.XX.XX:8081//en/dynapage/scripts/page.jsp
> what I get is a "download file" window that lets me
> download the .jsp file and view the source code :(

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/