TUCoPS :: Web :: Apps :: unify.htm

EWave ServletExec show source hole 
Vulnerability

    eWave ServletExec

Affected

    Unify eWave ServletExec

Description

    Unify eWave  ServletExec is  a Java Server Pages (JSP)  processing
    environment which runs  on IIS (amongst a variety  of other
    platforms  and OS').   JSP is similar to  ASP  in  that  it  allows
    server-side source code to generate dynamic web  pages for
    presentation to  web visitors.   Like ASP, JSP source code pages
    should not be visible.

    Basically, if you visit a JSP generated via ServletExec such as;

        http://dummysite/somepage.jsp

    you  will  see  a  fully  formed  page according to the source JSP
    instructions.   Yet  if  you  view  the  same  page  with  a minor
    modification, using upper case JSP at the end of the link;

        http://dummysite/somepage.JSP

    you will, instead, see the source code for the JSP in question.

Solution

    According to  Unify, all  that is  required to  prevent this is to
    use have installed  a default Servlet  which, for example,  states
    that the page requested is not  found (or any other page you  wish
    to  present  when  a  JSP  request  is  presented  which  does not
    explicitly match some known JSP).

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH