Bajie Web Server Exposes File System
Reported July 31, 2000 by Andrew Lewis
A Java servlet that ships with the Bajie Web server can be made to reveal critical physical path information. The servlet is located in the /servlet/test/pathinfo/test directory tree. In addition, by sending the server a URL that contains four dots (http://bajie.server/...) the server can be made to access any file on the system by specifying its relative path from the root directory.
The author was contacted and sent information about how to eliminate the problems. Check the Bajie Web site for an updated version.
Discovered by Andrew Lewis