jboss 3.2.1 with jetty seems to be vulnerable to jsp source code disclosure.
Trying to access the ServerInfo.jsp with an suffixed "%00" shows the source code of this JSP. Seems to be a forgotten debug feature :-]
This is a problem that was accidentally re-introduced in Jetty 4.2.10pre0 and has now been fixed in 4.2.10pre1.
Only recent JBoss builds will have been affected and JBoss CVS
will be updated shortly.