Orion Application Server JSP source code disclosure
| orion-jsp-source-disclosure (25405) |  Low Risk |
Description:
Orion Application Server could allow a remote attacker to obtain sensitive information. If an attacker sends a URL request for a known JavaServer Pages (JSP) file with "dot" and "space" characters appended to the file extension, the requested file's source code will be returned.
Consequences:
Obtain Information
Remedy:
Upgrade to the latest version of Orion Application Server (2.0.7 or later), available from the Orion Web site. See References.
References:
- Orion Web site: Orion Application Server.
- BID-17204: Orion Application Server JSP Source Disclosure Vulnerability
- CVE-2006-0816: Orion Application Server before 2.0.7, when running on Windows, allows remote attackers to obtain the source code of JSP files via (1) . (dot) and (2) space characters in the extension of a URL.
- OSVDB ID: 24053: Orion Application Server Crafted Filename Extension JSP Source Disclosure
- SA18950: Orion Application Server JSP Source Disclosure Vulnerability
- SECTRACK ID: 1015823: Orion Application Server Discloses JSP Source Code to Remote Users
- VUPEN/ADV-2006-1055: Orion Application Server Filename Extension Source Disclosure Vulnerability
Platforms Affected:
- Orion Server Orion Application Server 2.0.5
- Orion Server Orion Application Server 2.0.6
Reported:
Mar 23, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net