JBOSS 3.2.1: JSP source code disclosure

marc_schoenefeld May 30, 2003 9:43 AM

Hi,

jboss 3.2.1 with jetty seems to be vulnerable to jsp source code disclosure.

Trying to access the ServerInfo.jsp with an suffixed "%00" shows the source code of this JSP. Seems to be a forgotten debug feature :-]

http://192.168.0.4:8080/web-console/ServerInfo.jsp%00

Sincerely
Marc Schoenefeld
(www.illegalaccess.org)

1. Re: JBOSS 3.2.1: JSP source code disclosure

marc_schoenefeld May 30, 2003 11:08 AM (in response to marc_schoenefeld)

just tested the new Jetty 4.2.9, which does not seem to be vulnerable, so the error (or is it a design feature) seems to be somewhere in a gluecode class....
Actions
2. Re: JBOSS 3.2.1: JSP source code disclosure

gregwilkins Jun 2, 2003 5:31 AM (in response to marc_schoenefeld)

The problem was accidentally (re)introduced in Jetty 4.2.10pre0, which has been copied to the JBoss CVS.

It is fixed in 4.2.10pre1 and the patch will shortly be in JBoss CVS.
Actions

Go to original post