COMMAND

    JavaWebServer

SYSTEMS AFFECTED

    Win systems

PROBLEM

    Min Chang  discovered that  there is  a security  vulnerability in
    the 1.1Beta version  of JavaWebServer for  win32.  Similar  to the
    IIS viewable source  bug, if you  append a '.'  (period) or a  '\'
    (backslash) to a .jhtml URL,  the server will display the  source.
    Exploit sample should be something like these two:

        http://localhost/xyz.jhtml.

    or

        http://localhost/xyz.jhtml\

    .jhtml  files  are  html  files  with  embedded Java code that are
    supposed to be compiled and returned to the client (sans the  java
    code).  Because these files  can have things like jdbc  queries or
    important  server  filenames  embedded  in  them, it is a security
    risk.

SOLUTION

    Nothing yet.  Disabling JWS  should do quick fix while  vendor fix
    become available (since BETA was tested that may be soon).