JavaWebServer viewable source bug

Description:You can view the source of .jhtml files by appending a '.' or '\' to their name. ie .
Author:Brian Krahmer <brian@KRAHMER.COM>
Compromise:View the source code of .jhtml files which in some cases should be secret
Vulnerable Systems:Those running vulnerable versions of JavaWebServer for win32
Date:16 July 1997

Date: Wed, 16 Jul 1997 14:01:05 -0500
From: Brian Krahmer <brian@KRAHMER.COM>
Subject: Viewable .jhtml source with JavaWebServer

It has been discovered by Min Chang that there is a security
vulnerability in the 1.1Beta version of JavaWebServer for win32.
Similar to the IIS viewable source bug, if you append a '.' (period) or
a '\' (backslash) to a .jhtml URL, the server will display the source.
.jhtml files are html files with embedded Java code that are supposed to
be compiled and returned to the client (sans the java code).  Because
these files can have things like jdbc queries or important server
filenames embedded in them, it is a security risk.


  Brian Krahmer - -
           President, Network Guardians, Inc.
  Makers of NetGuard.  1.0 release coming after the new year!

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: