| VID |
22199 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The Sun-ONE Application Server has a JSP source revealing vulnerability, which allows remote attackers to view the source code of JSP applications residing in the web document directory by changing the case of the file extension in the HTTP request. The vulnerability arises due to Unix code being ported to the Microsoft Windows platform where the filesystem is case insensitive.
A remote attacker can send a specially-crafted URL request for a known JSP file to bypass protection and obtain the source code of the requested JSP page, and possibly obtain database passwords and other sensitive information.
* References:
http://www.spidynamics.com/sunone_alert.html
http://www.securityfocus.com/archive/1
* Platforms Affected:
Sun-ONE Application Server 7.0 for Windows 2000/XP |
| Recommendation |
No patches available as of May 2003. If they are released, apply the appropriate patch for your system as possible from the Sun's web site, http://sunsolve.sun.com |
| Related URL |
CVE-2003-0411 (CVE) |
| Related URL |
7709 (SecurityFocus) |
| Related URL |
12093 (ISS) |
|
