Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] Fwd: Major security issue or misconfiguration?

Hi all,

Disclosure: This is a cross post from the users list where no-one had any suggestions - I hope you as devs may have more insight? :)

I am using Jetty7.5.1+OSGi, exposing servlets by using Web-ContextPath.

Say my path is Web-ContextPath is /foo and I have class bar.FooBar, then I can retrieve the class file by going to:

http://my.server/foo/bar/FooBar.class

and I infact can list the whole directory and subdirectory by visiting:

http://my.server/foo

If I have a servlet mapped to /* then this does not happen.

This seems like an enormous issue. It hasn't happened previously, and I can't seem to find what has changed.

The previous behaviour was to 404 on requesting anything but servlet mappings, or assets that are not class files and not in META-INF or WEB-INF.

Can anyone shed any light on why all the class files in the bundle are exposed?

Thanks!

Matt


Back to the top