Bugtraq mailing list archives
JBOSS 3.2.1: JSP source code disclosure
From: Marc Schoenefeld <schonef () uni-muenster de>
Date: Fri, 30 May 2003 19:59:08 +0200 (MES)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, jboss 3.2.1 with jetty seems to be vulnerable to jsp source code disclosure. Trying to access the ServerInfo.jsp with an suffixed "%00" shows the source code of this JSP. Seems to be a forgotten debug feature :-] http://192.168.0.4:8080/web-console/ServerInfo.jsp%00 Sincerely Marc Schoenefeld (www.illegalaccess.org) - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (AIX) Comment: For info see http://www.gnupg.org iD8DBQE+15vvqCaQvrKNUNQRAmlxAJ0SUWM8q1cv2qpt1TjkuC2RuhkLXgCeLUN4 beFf0+xrJmL/ex+e/nTlKUA= =rfSA -----END PGP SIGNATURE-----
Current thread:
- JBOSS 3.2.1: JSP source code disclosure Marc Schoenefeld (Jun 01)