[jboss-jira] [JBoss JIRA] (WFLY-4595) JSP source code leak when a slash added at the end of the URL
Josef Cacek (JIRA)
issues at jboss.org
Wed May 6 05:43:46 EDT 2015
[ https://issues.jboss.org/browse/WFLY-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Josef Cacek updated WFLY-4595:
------------------------------
Affects Version/s: 8.1.0.Final
> JSP source code leak when a slash added at the end of the URL
> -------------------------------------------------------------
>
> Key: WFLY-4595
> URL: https://issues.jboss.org/browse/WFLY-4595
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Affects Versions: 8.1.0.Final, 8.2.0.Final, 9.0.0.CR1
> Reporter: Josef Cacek
> Assignee: Stuart Douglas
> Priority: Blocker
> Attachments: jsp-source.war
>
>
> When a trailing slash is added to a JSP URL (e.g. {{localhost:8080/my-app/index.jsp/}}) the source code of the JSP is downloaded/displayed.
> This is a security issue, because users can have passwords to external systems directly stored in JSP source code.
> This was originally reported by Abhinav Gupta on [stackoverflow|http://stackoverflow.com/questions/30028346/with-trailing-slash-in-url-jsp-show-source-code]
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
More information about the jboss-jira
mailing list