| VID |
21582 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The relevant Web server appears to allow downloads of Java source or class files. Java source files or decompiled CLASS files may often contain sensitive information such as user IDs, passwords, network configurations, etc. A compiled binary CLASS file (applet) can be decompiled by attackers to generate the original Java source code from the CLASS file. Jad, ClassCracker, and Decafe Pro are representative Java decompilers that read one or more Java CLASS files and convert them into Java source files which can be compiled again. Make sure that exposed CLASS files should not contain sensitive information that might help an attacker to launch further attacks against the relevant host.
* References:
http://kpdus.tripod.com/jad.html
* Platforms Affected:
Any HTTP server Any version
Java Any version
Any operating system Any version |
| Recommendation |
Remove the Java source files from the Web document folders.
-- AND --
Configure the file permissions of downloadable Java CLASS files not to be downloaded by the Web browsers, or make sure that exposed CLASS files should not contain sensitive information. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
8735 (ISS) |
|
