I'm running Sun App Server 9.1EE on a 32-bit Windows box (Windows Server 2003) and it seems to suffer the vulnerability whereby it's possibly to access files under WEB-INF (or pretty much anywhere else under your application root) by appending a dot to the path - for instance:
http://yourappserver/yourapp/WEB-INF./web.xml
will nicely display your web.xml. This vulnerability was discovered some time ago on a range of application servers - the reports I'm seeing are dated 2002 when this first seemed to surface. It appears to be a problem with interpreting the trailing slash on Windows filesystems.
Is there anyway to configure this vulnerability out of the appserver?
[Message sent by forum member 'ocoro02' (ocoro02)]
http://forums.java.net/jive/thread.jspa?messageID=292142