An advisory has surfaced that indicates multiple vendor Java/JSP Web servers have been found to allow remote access to the WEB-INF directory, which typically contains sensitive files not suited to be served to users.
The vulnerability is triggered by appending an extra '.' character after the directory name in the URL request.
Sybase EA server, Oracle OC4J, Orion, JRun, HP App Server, Paramati and Jo Webserver have been reported as vulnerable.
A full list of vulnerable versions and appropriate patches is available at: http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0132.html