Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-4595

JSP source code leak when a slash added at the end of the URL

    Details

    • Steps to Reproduce:
      Hide
      • download and deploy the attached reproducer jsp-source.war
      • access index.jsp with trailing slah:
      $ curl http://localhost:8080/jsp-source/index.jsp/
      <%@ page language="java" errorPage="/error.jsp" pageEncoding="UTF-8" contentType="text/html;charset=utf-8" session="false" %>
      <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
      
      <%
        // Can you see this text? Then you've reproduced the issue!
      
        System.out.println("JSP SOURCE LEAK REPRODUCER - Just put some text into the log file when we hit the JSP in the correct way... ");
      %>
      
      <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
      <html>
      ...
      
      Show
      download and deploy the attached reproducer jsp-source.war access index.jsp with trailing slah: $ curl http: //localhost:8080/jsp-source/index.jsp/ <%@ page language= "java" errorPage= "/error.jsp" pageEncoding= "UTF-8" contentType= "text/html;charset=utf-8" session= " false " %> <%@ taglib uri= "http: //java.sun.com/jsp/jstl/core" prefix= "c" %> <% // Can you see this text? Then you've reproduced the issue! System .out.println( "JSP SOURCE LEAK REPRODUCER - Just put some text into the log file when we hit the JSP in the correct way... " ); %> <!DOCTYPE html PUBLIC "- //W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd" > <html> ...

      Description

      When a trailing slash is added to a JSP URL (e.g. localhost:8080/my-app/index.jsp/) the source code of the JSP is downloaded/displayed.

      This is a security issue, because users can have passwords to external systems directly stored in JSP source code.

      This was originally reported by Abhinav Gupta on stackoverflow

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  swd847 Stuart Douglas
                  Reporter:
                  jcacek Josef Cacek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: