Vulnerability: Multiple vendor WEB-INF directory access

An advisory has surfaced that indicates multiple vendor Java/JSP Web servers have been found to allow remote access to the WEB-INF directory, which typically contains sensitive files not suited to be served to users.

The vulnerability is triggered by appending an extra '.' character after the directory name in the URL request.

Sybase EA server, Oracle OC4J, Orion, JRun, HP App Server, Paramati and Jo Webserver have been reported as vulnerable.

A full list of vulnerable versions and appropriate patches is available at:

Join the newsletter!

Error: Please check your email address.

More about NeohapsisOrionSybase Australia

Show Comments