lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 30 May 2003 19:59:08 +0200 (MES)
From: Marc Schoenefeld <schonef@...-muenster.de>
To: bugtraq@...urityfocus.com
Subject: JBOSS 3.2.1: JSP source code disclosure


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

jboss 3.2.1 with jetty seems to be vulnerable to jsp source code disclosure.

Trying to access the ServerInfo.jsp with an suffixed "%00" shows the source
code of this JSP. Seems to be a forgotten debug feature :-]

http://192.168.0.4:8080/web-console/ServerInfo.jsp%00

Sincerely
Marc Schoenefeld
(www.illegalaccess.org)

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE+15vvqCaQvrKNUNQRAmlxAJ0SUWM8q1cv2qpt1TjkuC2RuhkLXgCeLUN4
beFf0+xrJmL/ex+e/nTlKUA=
=rfSA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ