Hi,
jboss 3.2.1 with jetty seems to be vulnerable to jsp source code disclosure.
Trying to access the ServerInfo.jsp with an suffixed "%00" shows the source code of this JSP. Seems to be a forgotten debug feature :-]
http://192.168.0.4:8080/web-console/ServerInfo.jsp%00
Sincerely
Marc Schoenefeld
(www.illegalaccess.org)
This is a problem that was accidentally re-introduced in Jetty 4.2.10pre0 and has now been fixed in 4.2.10pre1.
Only recent JBoss builds will have been affected and JBoss CVS
will be updated shortly.