It has been discovered by Min Chang that there is a security vulnerability in the 1.1Beta version of JavaWebServer for win32. Similar to the IIS viewable source bug, if you append a '.' (period) or a '\' (backslash) to a .jhtml URL, the server will display the source. .jhtml files are html files with embedded Java code that are supposed to be compiled and returned to the client (sans the java code). Because these files can have things like jdbc queries or important server filenames embedded in them, it is a security risk. examples: http://localhost/xyz.jhtml. or http://localhost/xyz.jhtml\ brian -- Brian Krahmer - brianat_private - http://www.krahmer.com President, Network Guardians, Inc. Makers of NetGuard. 1.0 release coming after the new year! http://www.net-guards.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:02 PDT