[jboss-jira] [JBoss JIRA] (WFLY-4595) JSP source code leak when a slash added at the end of the URL
Josef Cacek (JIRA)
issues at jboss.org
Wed May 6 05:38:45 EDT 2015
Josef Cacek created WFLY-4595:
---------------------------------
Summary: JSP source code leak when a slash added at the end of the URL
Key: WFLY-4595
URL: https://issues.jboss.org/browse/WFLY-4595
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 9.0.0.CR1, 8.2.0.Final
Reporter: Josef Cacek
Assignee: Stuart Douglas
Priority: Blocker
When a trailing slash is added to a JSP URL (e.g. {{localhost:8080/my-app/index.jsp/}}) the source code of the JSP is downloaded/displayed.
This is a security issue, because users can have passwords to external systems directly stored in JSP source code.
This was originally reported by Abhinav Gupta on [stackoverflow|http://stackoverflow.com/questions/30028346/with-trailing-slash-in-url-jsp-show-source-code]
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
More information about the jboss-jira
mailing list