[jboss-jira] [JBoss JIRA] (WFLY-4595) JSP source code leak when a slash added at the end of the URL
Kabir Khan (JIRA)
issues at jboss.org
Wed Dec 6 11:21:23 EST 2017
[ https://issues.jboss.org/browse/WFLY-4595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kabir Khan closed WFLY-4595.
----------------------------
> JSP source code leak when a slash added at the end of the URL
> -------------------------------------------------------------
>
> Key: WFLY-4595
> URL: https://issues.jboss.org/browse/WFLY-4595
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Affects Versions: 8.1.0.Final, 8.2.0.Final, 9.0.0.CR1
> Reporter: Josef Cacek
> Assignee: Stuart Douglas
> Priority: Blocker
> Fix For: 9.0.0.CR2, 10.0.0.Alpha1
>
> Attachments: jsp-source.war
>
>
> When a trailing slash is added to a JSP URL (e.g. {{localhost:8080/my-app/index.jsp/}}) the source code of the JSP is downloaded/displayed.
> This is a security issue, because users can have passwords to external systems directly stored in JSP source code.
> This was originally reported by Abhinav Gupta on [stackoverflow|http://stackoverflow.com/questions/30028346/with-trailing-slash-in-url-jsp-show-source-code]
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list