Hi,
JBoss 4.0DR1 (Jetty-version) is still vulnerable to JSP source code
disclosure. Nothing has changed since the post of the same
vulnerability in the 3.2.1 version.
For those of you who missed the original post,
try the following URLs in your JBoss installation:
http://127.0.0.1:8080/web-console/ServerInfo.jsp%00
http://127.0.0.1:8080/web-console/applet.jsp%001
While browsing the source, you will notice that
the jsp tags are not processed!
Sincerely
Marc