Hi,JBoss 4.0DR1 (Jetty-version) is still vulnerable to JSP source codedisclosure. Nothing has changed since the post of the samevulnerability in the 3.2.1 version.For those of you who missed the original post,try the following URLs in your JBoss installation:http://127.0.0.1:8080/web-console/ServerInfo.jsp%00http://127.0.0.1:8080/web-console/applet.jsp%001While browsing the source, you will notice thatthe jsp tags are not processed!SincerelyMarc