3 Replies Latest reply on Jun 15, 2003 2:51 PM by juhalindfors

    Jboss Vunerability Workaround

    penchan

      I've posted this on the news, but a moderator has to approve all new messages- and time seems to be of the essence..

      There is a vunerability that affects Jboss versions 3.21 (jetty/tomcat) to 4.0 DR1 (jetty,tomcat). If you append a %00 to any JSP file hosted on a Jboss server you will see the source code.

      Here is a temporary workaround.
      Insert this in your JSP source code:

      <% String pensfix=request.getParameter("%"); %>

      With this workaround, the client will recieve a HTTP 400 Bad Request Error instead of seeing your source code.

      Please let us know when a fix has been posted!

      Regards,

      Pen