Summary
By requesting a non-existent .JSP file, or by invoking the JSPServlet directly and supplying no filename, it is possible to make the ServletExec ISAPI filter disclose the physical path of the webroot.
Solution
Use the main ServletExec Admin UI to set a global error page for the entire ServletExec Virtual Server.
Severity
Classification
-
CVE CVE-2002-0892 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Allegro RomPager HTTP Referer Header Cross Site Scripting Vulnerability
- Apache ActiveMQ Multiple Vulnerabilities
- AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities
- AeroMail Cross Site Request Forgery, HTML Injection and Cross Site Scripting Vulnerabilities
- 7Media Web Solutions EduTrac Directory Traversal Vulnerability