WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Heavy Security Issue

From: "Dan Simon" <dsimon () remingtonltd com>
Date: Thu, 4 Aug 2005 08:20:33 -0500 (CDT)
Two thoughts:

1.  Please do let us know what servlet engine you are using (as someone
else suggested).

2.  I would also recommend that you look into implementing a proper MVC
architecture for your code.  I prefer the Spring Framework
(www.springframework.org), but that's just me...I find it clean, simple,
and elegant.

By implementing a proper MVC architecture for your JSP application, you
can prevent access to the JSP files entirely -- with only the servlet
engine itself allowed to view the files.  It also encourages proper
separation of code from the UI.  Some very, very nice ideas for the
security-minded.

Dan Simon
C|EH, SCJP, SCJD
Remington Associates, Ltd.
http://www.remingtonltd.com


Hi Guys!

My name is Jonathan, I am really pleased to let you
know that I love your security site, it really help us
the developers to find out many of our security
doubts.

One more time I am recurring for your help, the issue
is the following:

I have an apache server and an app. running on it, but
I recently found a little problem that consist in the
following:

- When I make a request for the following JSP for
example:
http://XX.XX.XX.XX:8081/en/dynapage/scripts/page.jsp
the Jsp is interpreted and the request is successful
an html is displayed in the browser.

- But at the time I add a forward slash ether after
the "en" or "dynapage" for example request must look
as the following:
http://XX.XX.XX.XX:8081/en//dynapage/scripts/page.jsp
http://XX.XX.XX.XX:8081//en/dynapage/scripts/page.jsp
what I get is a "download file" window that lets me
download the .jsp file and view the source code :(

Could you please help me know if this is a missing
configuration in my apache httpd or if is a bug of
this same technology.

Thank you in advance guys!
hope to hear you soon

Jonathan Orlando



____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
Previous By Date Next
Previous By Thread Next

Current thread: