Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Viewable .jhtml source with JavaWebServerBrian Krahmer (brianKRAHMER.COM)
Wed, 16 Jul 1997 14:01:05 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Alec Muffett: "Re: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux"
- Previous message: Steve Bellovin: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"
It has been discovered by Min Chang that there is a security vulnerability in the 1.1Beta version of JavaWebServer for win32. Similar to the IIS viewable source bug, if you append a '.' (period) or a '\' (backslash) to a .jhtml URL, the server will display the source. .jhtml files are html files with embedded Java code that are supposed to be compiled and returned to the client (sans the java code). Because these files can have things like jdbc queries or important server filenames embedded in them, it is a security risk. examples: http://localhost/xyz.jhtml. or http://localhost/xyz.jhtml\ brian -- Brian Krahmer - briankrahmer.com - http://www.krahmer.com President, Network Guardians, Inc. Makers of NetGuard. 1.0 release coming after the new year! http://www.net-guards.com