GNUJSP Directory Disclosure Vulnerability

vendor:

GNUJSP

by:

SecurityFocus

3.3

CVSS

MEDIUM

Directory Disclosure

CWE

Product Name: GNUJSP

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix, Linux, Microsoft Windows NT/2000

2002

GNUJSP Directory Disclosure Vulnerability

GNUJSP is a freely available, open-source implementation of Sun's Java Server Pages. It has been reported that a remote attacker may disclose the contents of directories via a specially crafted web request. This may be exploited to list directories, read the contents of arbitrary web-readable files, and disclose script source code. The attacker simply appends the name of the directory and/or file to be disclosed to a web request for /servlets/gnujsp/.

Mitigation:

Ensure that the web server is configured to deny access to sensitive files and directories.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4125/info

GNUJSP is a freely available, open-source implementation of Sun's Java Server Pages. It will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000 operating systems.

It has been reported that a remote attacker may disclose the contents of directories via a specially crafted web request. This may be exploited to list directories, read the contents of arbitrary web-readable files, and disclose script source code. The attacker simply appends the name of the directory and/or file to be disclosed to a web request for /servlets/gnujsp/.

It should be noted that this may allow an attacker to circumvent .htaccess files.

This issue may be the result of a configuration error. 

http://site/servlets/gnujsp/[dirname]/[file]