Note: This is an archival copy of Security Sun Alert 201030 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000767.1.
Article ID : 1000767.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-19
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Sun ONE Application Server May Disclose JSP Source

Category
Security

Release Phase
Resolved

Bug Id
4867279

Date of Resolved Release
05-AUG-2003

Impact

It may be possible to view the source code of JavaServer Pages (JSP) applications.


Contributing Factors

This issue can occur in the following releases:

  • Sun ONE Application Server 6.5 SP1 Maintenance Update 1 (MU1) and earlier 6.5 releases

Note: Sun ONE Application Server 6.0 and Sun ONE Application Server 7.0 and later releases are not affected.

All architectures and platforms are impacted by this issue. For supported architectures and OS versions see:


Symptoms

There are no symptoms that would show the described issue has been exploited.


Workaround

To work around the described issue, register JSPs in the web.xml file and use a servlet mapping to hide the JSP file names. For more information, please see:


Resolution

This issue is addressed in the following releases:

  • Sun ONE Application Server 6.5 SP1 Maintenance Update 2 (MU2) and later

The above releases are available for download at:



Modification History

Product
Sun ONE Application Server 6.5, Enterprise Edition































































Attachments
This solution has no attachment