多种WEB服务器的通用JSp源代码暴露漏洞

　　class Design Error

　　cve CVE-2000-0499

　　remote Yes

　　local Yes

　　published June 08, 2000

　　updated November 10, 2000

　　vulnerable BEA Systems Weblogic 4.5.1

　　- MicrosoftWindows NT4.0

　　BEA Systems Weblogic 4.0.4

　　- Microsoft Windows NT 4.0

　　BEA Systems Weblogic 3.1.8

　　- Microsoft Windows NT 4.0

　　IBM Websphere Application Server 3.0.21

　　- Sun Solaris 8.0

　　- Microsoft Windows NT 4.0

　　- Linux kernel 2.3.x

　　- IBM AIX4.3

　　Unify eWave ServletExec 3.0

　　- Sun Solaris 8.0

　　- Microsoft Windows 98

　　- Microsoft Windows NT 4.0

　　- Microsoft Windows NT 2000

　　- Linux kernel 2.3.x

　　- IBM AIX 4.3.2

　　- HP HP-UX 11.4

　　Many webservers are case-sensitive, but do not have all possible combinations of cases in mapped extensions mapped properly.

　　By changing the letters in a JSP or a JHTML file extension from lower case to upper case (eg: .jsp or .jhtml becomes .JSP or .JHTML) in a URL the server does not recognize the file extension and sends the file normally. In that manner, a user is able to access the source code to those specific files.