header-logo
Suggest Exploit
vendor:
JavaWebServer
by:
SecurityFocus
7.5
CVSS
HIGH
JavaWebServer for Win32 Directory Traversal
22
CWE
Product Name: JavaWebServer
Affected Version From: 1.1Beta
Affected Version To: 1.1Beta
Patch Exists: YES
Related CWE: CVE-2001-0206
CPE: o:sun:javawebserver:1.1beta
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2001

JavaWebServer for Win32 Directory Traversal

A vulnerability exists in Sun Microsystems' JavaWebServer for Win32, version 1.1Beta. If a URL is submitted requesting a .jhtml file (an HTML document with embedded Java source) and a '.' or '/' character is appended to the filename, the source for that .jhtml file will be returned to the client, rather than being compiled on the server. As a result, system information which is not intended for disclosure to the client, such as database usernames and passwords, resource locations, website and network structure and business models, may be obtained by the attacker.

Mitigation:

Upgrade to the latest version of JavaWebServer for Win32.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1891/info

A vulnerability exists in Sun Microsystems' JavaWebServer for Win32, version 1.1Beta. JavaWebServer is a Java-oriented web application development platform.

If a URL is submitted requesting a .jhtml file (an HTML document with embedded Java source) and a '.' or '/' character is appended to the filename, the source for that .jhtml file will be returned to the client, rather than being compiled on the server. As a result, system information which is not intended for disclosure to the client, such as database usernames and passwords, resource locations, website and network structure and business models, may be obtained by the attacker. As well as its inherent sensitivity, this type of information could potentially be used to implement other attacks on the host.

http://localhost/xyz.jhtml. 

or 

http://localhost/xyz.jhtml\

Navigation

Suggest Exploit

Services By CQR