Vulnerabilities: Sun-ONE Application Server 7.0 for Win 2000/XP

It is possible to view the source code of JSP applications by changing the case of the file extension in the HTTP request. The vulnerability is due to Unix code being ported to the Microsoft Windows platform where the filesystem is case insensitive. When a request is received, the server performs a case sensitive check to determine if the request ends in “.jsp”. If it does, the JSP engine will process it. Otherwise, it will see if it can retrieve the requested resource from the filesystem. On Unix operating systems, this will fail because of “file.jsp” cannot be opened by asking for “file.JSP” However, on Windows the file will be returned because the filesystem is case insensitive.

For details, see http://www.spidynamics.com/sunone_alert.html.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Microsoft

Show Comments