Summary
By requesting a non-existent .JSP file, or by invoking the JSPServlet directly and supplying no filename, it is possible to make the ServletExec ISAPI filter disclose the physical path of the webroot.
Solution
Use the main ServletExec Admin UI to set a global error page for the entire ServletExec Virtual Server.
Severity
Classification
-
CVE CVE-2002-0892 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability
- Apache Tomcat Directory Listing and File disclosure
- Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
- Adobe ColdFusion HTTP Response Splitting Vulnerability
- Andy's PHP Knowledgebase Multiple Cross-Site Scripting Vulnerabilities