WebApp Sec mailing list archives
Re: Heavy Security Issue
From: Saqib Ali <docbook.xml () gmail com>
Date: Wed, 3 Aug 2005 19:49:40 -0700
Two questions: 1) I don't think Apache is serving your JSP pages. There has to be Java Servlet engine (Tomcat, Resin etc), that is processing the request? Can you please tell use engine you are using and version as well. It would be better if you can send us the real URLs. 2) When you say "source code" do you mean the ram JSP source code, or the processed HTML? I have seen some cases where you get the processed HTML, which is no big deal, and certaily not a security issue. However if you getting raw JSP source-code, then it is certainly an issue. If you tell me the verion # etc of the Java servlet engine, I can test it in the my Lab.
I have an apache server and an app. running on it, but I recently found a little problem that consist in the following: - When I make a request for the following JSP for example: http://XX.XX.XX.XX:8081/en/dynapage/scripts/page.jsp the Jsp is interpreted and the request is successful an html is displayed in the browser. - But at the time I add a forward slash ether after the "en" or "dynapage" for example request must look as the following: http://XX.XX.XX.XX:8081/en//dynapage/scripts/page.jsp http://XX.XX.XX.XX:8081//en/dynapage/scripts/page.jsp what I get is a "download file" window that lets me download the .jsp file and view the source code :(
-- In Peace, Saqib Ali http://www.xml-dev.com/blog/
Current thread:
- Heavy Security Issue jonathan Davis (Aug 03)
- Re: Heavy Security Issue Saqib Ali (Aug 03)
- Re: Heavy Security Issue Dan Simon (Aug 04)
- Re: Heavy Security Issue Marco Caramma (Aug 04)