COMMAND

    eWave ServletExec

SYSTEMS AFFECTED

    Unify eWave ServletExec

PROBLEM

    Niclas Vikstrom  found following.   Unify eWave  ServletExec is  a
    Java Server Pages (JSP)  processing environment which runs  on IIS
    (amongst a variety  of other platforms  and OS').   JSP is similar
    to  ASP  in  that  it  allows  server-side source code to generate
    dynamic web  pages for  presentation to  web visitors.   Like ASP,
    JSP source code pages should not be visible.

    Basically, if you visit a JSP generated via ServletExec such as;

        http://dummysite/somepage.jsp

    you  will  see  a  fully  formed  page according to the source JSP
    instructions.   Yet  if  you  view  the  same  page  with  a minor
    modification, using upper case JSP at the end of the link;

        http://dummysite/somepage.JSP

    you will, instead, see the source code for the JSP in question.

SOLUTION

    According to  Unify, all  that is  required to  prevent this is to
    use have installed  a default Servlet  which, for example,  states
    that the page requested is not  found (or any other page you  wish
    to  present  when  a  JSP  request  is  presented  which  does not
    explicitly match some known JSP).