bugtraq id 1328
class design error
cve cve-2000-0499
remote yes
local yes
published june 08, 2000
updated november 10, 2000
vulnerable bea systems weblogic 4.5.1
- microsoft windows nt 4.0
bea systems weblogic 4.0.4
- microsoft windows nt 4.0
bea systems weblogic 3.1.8
- microsoft windows nt 4.0
ibm websphere application server 3.0.21
- sun solaris 8.0
- microsoft windows nt 4.0
- linux kernel 2.3.x
- ibm aix 4.3
unify ewave servletexec 3.0
- sun solaris 8.0
- microsoft windows 98
- microsoft windows nt 4.0
- microsoft windows nt 2000
- linux kernel 2.3.x
- ibm aix 4.3.2
- hp hp-ux 11.4
many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly.
by changing the letters in a jsp or a jhtml file extension from lower case to upper case (eg: .jsp or .jhtml becomes .jsp or .jhtml) in a url the server does not recognize the file extension and sends the file normally. in that manner, a user is able to access the source code to those specific files.
Java Asp PHP .Net XML C/C++ CGI VB Jsp J2ee J2se J2me EJB Servlet Tomcat Resin Struts Weblogic Eclipse ANT GUI JMS Web servise IDEA Webphere Hibernate Spring Jboss Applet Swing Socket Javamail Perl Ajax P2P 安全 模式 框架 测试 开源 游戏
Windows XP Windows 2000 Windows 2003 Windows Me Windows 9.x Linux UNIX 注册表 操作系统 服务器 应用服务器
