jsp%00 code reveal bug?

shareme Jun 18, 2003 8:21 PM

I am seeing this bug on JBoss 3.2.1

basically the jsp%00 bug that we have seen in recent 18 m,onths on jetty and tomcat..

URLs I have tested thus far are:

http://localhost:8080/jmx-console/index.jsp%00

There is security focus report filed onthis bug any news on which minor release past 3.2.1 might fix it?

Thanks..

1. Re: jsp%00 code reveal bug?

stng Jun 19, 2003 1:22 AM (in response to shareme)

Yup, I'm seeing the same problem. It affects all JSPs afaict. Has this really been around for over a year??
Actions
2. Re: jsp%00 code reveal bug?

stng Jun 19, 2003 1:46 AM (in response to shareme)

Hmm... this seems related to another bug.

If you use a capitalized .JSP for a .jsp file in Windows, it will reveal the source code. Haven't tested it on a Linux machine, so I don't know if these bugs are Windows-specific. If so, it may be some sort of mismatch due to Window's case-insensitivity. Probably matches a filename check but fails an exact search, so it gets interpretted as a html/text content. That's my gut suspicion...

Another possibility is that there's an error in the code with respect to the matching. I'll know more once I try it on Linux.

Anyone know offhand what package the source with the bug might be in? If so, I may try fixing it.
Actions

Go to original post