Phase:The Java Web Server would allow remote users to obtain the source code for CGI programs.
ReferencesBUGTRAQ:Wednesday, July 16, 1997 Viewable .jhtml source with JavaWebServer | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2
Votes:Modified (Friday, December 03, 1999-01)
Comments: ACCEPT(7) Dik, Collins, Blake, Northcutt, Wall, Baker, Cole | MODIFY(1) Frech | NOOP(5) Armstrong, Bishop, Christey, Prosser, Landfield | REVIEWING(1) Ozancin
F7: Wall> Acknowledged by vendor at | http://www.sun.com/software/jwebserver/techinfo/jws112info.html. | Baker> Vulnerability Reference (HTML) Reference Type | http://www.securityfocus.com/archive/1/7260 Misc Defensive Info | http://www.sun.com/software/jwebserver/techinfo/jws112info.html Vendor Info | Christey> BID:1891 | URL:http://www.securityfocus.com/bid/1891 | Christey> Add version number (1.1 beta) and details of attack (appending | a . or a \) | | The Sun URL referenced by Dave Baker no longer exists, so I | wasn't able to verify that it addressed the problem described | in the Bugtraq post. This might not even be Sun's | "Java Web Server," as CVE-2001-0186 describes some product | called "Free Java Web Server" | Dik> There appears to be some confusion. | | The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed | in 1.1.2 (get foo.jthml source by appending "." of "\" to URL) | | There are other bugs that give access and that require a configuration | change. | | http://www.sun.com/software/jwebserver/techinfo/security_advisory.html | Christey> Need to make sure to create CAN's for the other bugs, | as documented in: | NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS | http://marc.theaimsgroup.com/?l=ntbugtraq&m=90222454131622&w=2 | BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS | http://marc.theaimsgroup.com/?l=bugtraq&m=90221104526086&w=2 | The reported bugs are: | 1) file read by appending %20 | 2) Directly call /servlet/file | URL:http://www.sddt.com/cgi-bin/Subscriber?/library/98/07/24/tbd.html | #2 is explicitly mentioned in the Sun advisory for | CVE-1999-0283. | CHANGE> [Frech changed vote from REVIEWING to MODIFY] | Frech> XF:javawebserver-cgi-source(5383)