I'm not sure if this is the right mailing list but I couldn't find anything on Google about this announcement.
The version in question is Jetty 4.2.12 integrated with JBoss 3.2.2.
According to the advisory, " an attacker can gain access to arbitrary files on the remote system with the privileges of the Web server process. This could lead to more serious attacks, depending on the information gathered. "
A test ...
telnet localhost 443
GET / HTTP/1.1
HTTP/1.1 200 OK
Date: Tue, 18 May 2004 03:05:11 GMT
Server: Jetty/4.2.12 (SunOS/5.9 sparc java/1.4.2_02)
In this example, Jetty returned the contents of ROOT.ear. Should Jetty throw a different error code rather than a 200?
Thanks in advance.
Sign-up for Ads Free at Mail.com