Bajie Web Server Exposes File System
Reported July 31, 2000 by Andrew Lewis

VERSIONS AFFECTED

Bajie Web Server v0.03a

DESCRIPTION

A
Java servlet that ships with the Bajie Web server can be made to reveal critical physical path information. The servlet is located in the /servlet/test/pathinfo/test directory tree. In addition, by sending the server a URL that contains four dots (http://bajie.server/...) the server can be made to access any file on the system by specifying its relative path from the root directory.

VENDOR RESPONSE

The author was contacted and sent information about how to eliminate the problems. Check the Bajie Web site for an updated version.

CREDIT
Discovered by Andrew Lewis