[jboss-jira] [JBoss JIRA] (WFLY-4603) JSP source code leak when a slash added at the end of the URL
Josef Cacek (JIRA)
issues at jboss.org
Thu May 7 01:44:45 EDT 2015
Josef Cacek created WFLY-4603:
---------------------------------
Summary: JSP source code leak when a slash added at the end of the URL
Key: WFLY-4603
URL: https://issues.jboss.org/browse/WFLY-4603
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 8.1.0.Final, 8.2.0.Final, 9.0.0.CR1
Reporter: Josef Cacek
Assignee: Stuart Douglas
Priority: Blocker
Fix For: 9.0.0.CR2, 10.0.0.Alpha1
Attachments: jsp-source.war
When a trailing slash is added to a JSP URL (e.g. {{localhost:8080/my-app/index.jsp/}}) the source code of the JSP is downloaded/displayed.
This is a security issue, because users can have passwords to external systems directly stored in JSP source code.
This was originally reported by Abhinav Gupta on [stackoverflow|http://stackoverflow.com/questions/30028346/with-trailing-slash-in-url-jsp-show-source-code]
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
More information about the jboss-jira
mailing list