JSP source code leak when a slash added at the end of the URL
-------------------------------------------------------------
Key: WFLY-4595
URL:
https://issues.jboss.org/browse/WFLY-4595
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 8.1.0.Final, 8.2.0.Final, 9.0.0.CR1
Reporter: Josef Cacek
Assignee: Stuart Douglas
Priority: Blocker
Fix For: 9.0.0.CR2, 10.0.0.Alpha1
Attachments: jsp-source.war
When a trailing slash is added to a JSP URL (e.g. {{localhost:8080/my-app/index.jsp/}})
the source code of the JSP is downloaded/displayed.
This is a security issue, because users can have passwords to external systems directly
stored in JSP source code.
This was originally reported by Abhinav Gupta on
[
stackoverflow|http://stackoverflow.com/questions/30028346/with-trailing-s...]