Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

JBOSS 3.2.1: JSP source code disclosure
From: Marc Schoenefeld <schonef () uni-muenster de>
Date: Fri, 30 May 2003 19:59:08 +0200 (MES)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

jboss 3.2.1 with jetty seems to be vulnerable to jsp source code disclosure.

Trying to access the ServerInfo.jsp with an suffixed "%00" shows the source
code of this JSP. Seems to be a forgotten debug feature :-]

http://192.168.0.4:8080/web-console/ServerInfo.jsp%00

Sincerely
Marc Schoenefeld
(www.illegalaccess.org)

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE+15vvqCaQvrKNUNQRAmlxAJ0SUWM8q1cv2qpt1TjkuC2RuhkLXgCeLUN4
beFf0+xrJmL/ex+e/nTlKUA=
=rfSA
-----END PGP SIGNATURE-----

  By Date           By Thread  

Current thread:
  • JBOSS 3.2.1: JSP source code disclosure Marc Schoenefeld (Jun 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]