0 Replies Latest reply on Jun 14, 2003 7:55 AM by marc_schoenefeld

    JSP source disclosure: JBoss 4.0DR1 (Jetty-version)

    marc_schoenefeld Newbie

      Hi,

      JBoss 4.0DR1 (Jetty-version) is still vulnerable to JSP source code
      disclosure. Nothing has changed since the post of the same
      vulnerability in the 3.2.1 version.

      For those of you who missed the original post,
      try the following URLs in your JBoss installation:
      http://127.0.0.1:8080/web-console/ServerInfo.jsp%00
      http://127.0.0.1:8080/web-console/applet.jsp%001

      While browsing the source, you will notice that
      the jsp tags are not processed!

      Sincerely
      Marc