2 Replies Latest reply on Jun 19, 2003 1:46 AM by Stanford Ng

    jsp%00 code reveal bug?

    Fred Grott Newbie

      I am seeing this bug on JBoss 3.2.1

      basically the jsp%00 bug that we have seen in recent 18 m,onths on jetty and tomcat..

      URLs I have tested thus far are:

      http://localhost:8080/jmx-console/index.jsp%00

      There is security focus report filed onthis bug any news on which minor release past 3.2.1 might fix it?

      Thanks..

        • 1. Re: jsp%00 code reveal bug?
          Stanford Ng Newbie

          Yup, I'm seeing the same problem. It affects all JSPs afaict. Has this really been around for over a year??

          • 2. Re: jsp%00 code reveal bug?
            Stanford Ng Newbie

            Hmm... this seems related to another bug.

            If you use a capitalized .JSP for a .jsp file in Windows, it will reveal the source code. Haven't tested it on a Linux machine, so I don't know if these bugs are Windows-specific. If so, it may be some sort of mismatch due to Window's case-insensitivity. Probably matches a filename check but fails an exact search, so it gets interpretted as a html/text content. That's my gut suspicion...

            Another possibility is that there's an error in the code with respect to the matching. I'll know more once I try it on Linux.

            Anyone know offhand what package the source with the bug might be in? If so, I may try fixing it.