JBOSS 3.2.1: JSP source code disclosure

From: Marc Schoenefeld (schonef@uni-muenster.de)
Date: Fri May 30 2003 - 10:59:08 PDT

Next message: securityat_private: "Re: Another ZEUS Server web admin XSS!"

Previous message: Mandrake Linux Security Team: "MDKSA-2003:063 - Updated apache2 packages fix vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

jboss 3.2.1 with jetty seems to be vulnerable to jsp source code disclosure.

Trying to access the ServerInfo.jsp with an suffixed "%00" shows the source
code of this JSP. Seems to be a forgotten debug feature :-]

http://192.168.0.4:8080/web-console/ServerInfo.jsp%00

Sincerely
Marc Schoenefeld
(www.illegalaccess.org)

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE+15vvqCaQvrKNUNQRAmlxAJ0SUWM8q1cv2qpt1TjkuC2RuhkLXgCeLUN4
beFf0+xrJmL/ex+e/nTlKUA=
=rfSA
-----END PGP SIGNATURE-----

Next message: securityat_private: "Re: Another ZEUS Server web admin XSS!"
Previous message: Mandrake Linux Security Team: "MDKSA-2003:063 - Updated apache2 packages fix vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 01 2003 - 12:45:29 PDT