apache tomcat的snoop servlet漏洞,apache tomcat的snoop servlet漏洞
【 tulaoshi.com - Java 】
bugtraq id 1500Certain versions of the IBM WebSphere application server ship with a vulnerability which allows malicious users to view the source of any document which resides in the web document root directory.
This is possible via a flaw which allows a default servlet (different servlets are used to parse different types of content, JHTML, HTMl, JSP, etc.) This default servlet will display the document/page without parsing/compiling it hence allowing the code to be viewed by the end user.
(本文来源于图老师网站,更多请访问https://www.tulaoshi.com/java/)The Foundstone, Inc. advisory which covered this problem detailed the following method of verifying the vulnerability - full text of this advisory is available in the 'Credit' section of this entry:
"It is easy to verify this vulnerability for a given system. Prefixing the path to web pages with "/servlet/file/" in the URL causes the file to be displayed without being
parsed or compiled. For example if the URL for a file "login.jsp" is:
http://site.running.websphere/login.jsp
then accessing
(本文来源于图老师网站,更多请访问https://www.tulaoshi.com/java/)http://site.running.websphere/servlet/file/login.jsp
would cause the unparsed contents of the file to show up in the web browser."
来源:https://www.tulaoshi.com/n/20160129/1487527.html
看过《apache tomcat的snoop servlet漏洞》的人还看了以下文章 更多>>
