Multiple Vendor URL JSP Request Source Code Disclosure Vulnerability

          Has anybody heard about this vulnerability in weblogic web server? If so, is there
          a fix now or is BEA planning one soon? This is a potentially serious security
          The problem exists in the way the web server handles decoding a requested URL.
          If the URL contains hex encoded values for characters in a filename, the contents
          of the requested file will be served to the client. If the requested file type
          is jsp the source will be sent to the client instead of the compiles version.
          If anybody has a fix, please post.

          Check Weblogic developer center, where you can find some security patches (including
          the one you mention) on right pane.

          "Jay Reynolds" <[email protected]> wrote:
          >Has anybody heard about this vulnerability in weblogic web server? If
          >so, is there
          >a fix now or is BEA planning one soon? This is a potentially serious
          >The problem exists in the way the web server handles decoding a requested
          > If the URL contains hex encoded values for characters in a filename,
          >the contents
          >of the requested file will be served to the client. If the requested
          >file type
          >is jsp the source will be sent to the client instead of the compiles
          >If anybody has a fix, please post.

Similar Messages

  • Selecting multiple images to edit the source code

    Hi. Does anyone know if there's a way to select multiple
    images in a table and change there source code. The reason why I
    ask is that I recently decided to organize my assets folder by
    adding subfolders. Naturally, this makes my images appear as broken
    links. It's a pretty big site that I'm working on and I would like
    to know if there is a faster way than just selecting them one by

    If you would have created the folders within DW itself (file
    management), and moved images from one
    folder to the other, the links would have been adjusted
    automatically. Carrying out changes like
    this outside of DW will create broken links as you have
    Did you backup the original site, if so, and have a lot of
    broken links, it maybe worthwhile, going
    back to the original and use the file management to
    rename/create new folders and move your assets
    that way.
    Adobe® Community Expert : Dreamweaver
    Unique CSS Templates |Tutorials |SEO Articles
    CSS Tutorials for Dreamweaver |
    "lordcornwallis" <[email protected]> wrote
    in message
    news:gpqni2$3io$[email protected]..
    > Hi. Does anyone know if there's a way to select multiple
    images in a table and
    > change there source code. The reason why I ask is that I
    recently decided to
    > organize my assets folder by adding subfolders.
    Naturally, this makes my
    > images appear as broken links. It's a pretty big site
    that I'm working on and
    > I would like to know if there is a faster way than just
    selecting them one by
    > one.

  • Use flash charts from multiple base URLs

    My APEX apps are hosted by a shared service provider who uses a front end proxy. Following the instructions in this forum, I was able to get flash charts to work by substituting my client URL for #HOST#.
    Example, Change:
    <embed src="#IMAGE_PREFIX#flashchart/
    <embed src="#IMAGE_PREFIX#flashchart/#CHART_TYPE#.swf?XMLFile=
    I changed this base url in multiple locations in the chart source code and the charts now work.
    Users access the site via a public domain In order to get the charts to work I then need to change #HOST# to Then they no longer work when accessing via
    Is there some way to get the charts to work irrespective of which path users take to get to the site?
    Though the above fix works for stand alone flash charts it does not work for the charts in interactive reports or the sample charts displayed when using the chart builder wizard in the application builder.
    Is there somewhere to change in order to get the sample charts in the create chart wizard in application builder and/or the charts in interactive reports?

    Take a look at this thread -
    Re: #HOST# variable at Flash chart region source
    Which discusses the issue.

  • Vendor Down Payment Request on WBS (F-47)

    Dear Fellows:
    I have came across a problem that while creating a Vendor Down Payment request (T.code: F-47) on WBS, my system is not stoping me over budget exhaust. I have Budget of 100  and i create request for 101, system allows it and post the document.
    Vice Versa if i create a Vendor Down Payment request over Commitment iten, then system check the budget and generates message.
    any good solution to it would highly be appreciable.

    The budget availability check is done only against the assigned values and
    Following entried does not contribute to the Assigned value
        V: Value type not relevant (<> Act./Plan/Stat.Act./Stat.Plan/Commt)
        D: Delivery
        S: Settlement to object with no budget control
        R: Revenue cost element
        C: Cost element is exempt cost element
        M: Minimum from actual + commitment and plan per order value update
        P: Plan value is not on apportioned order / network
        B: Plan Costing Single Position
        S: Funds Commitment in Balance
    So the down payment is not covered for the calculation of the assigned value.
    Hence no check is carried out for the Availability check.
    hope its useful.
    Reward points if useful.

  • Instead of requested page source code is getting populated in WAS

    Hi All,
    I'm trying to bring up an application using jnlp.please find below the source code for the same.
    When i deploy the application in WAS, i'm able to bring up the application without any issue.
    But other than if i deploy the same war file in any other WAS server, itz just showing the source code when i request for href in the browser.
    Kindly some one help me to resolve this.
      <?xml version="1.0" encoding="UTF-8" ?>
    - <jnlp spec="1.0+" codebase="<appname>/">
    - <information>
      <title> Application name</title>
      <homepage href="/RSA" />
      <description>JNLP Application for <appname></description>
      <offline-allowed />
    - <security>
      <all-permissions />
    - <resources>
      <j2se version="1.4+" />
      <jar href="appname.jar" />
      <extension name="jcalendar" href="jcalendar.jnlp" />
      <extension name="jcommon" href="common.jnlp" />
      <extension name="jfreechart" href="jfreechart.jnlp" />
      <application-desc main-class="a.b.c.d.mainclass" />
      </jnlp>Thanks in advance,

    Type must be registered with jnlp extension so that content type is set (in the header with value application/x-java-jnlp-file), this should be done in httpd.conf (with an AddType), you can google for it or ask any server administrator for it, should be something like:
    AddType  .jnlp application/x-java-jnlp-fileMaybe you can give a look at working httpd.conf (on searching for 'application/x-java-jnlp-file') and copy/paste in other configs.

  • How can one encrypt the source code of a given web page(html, jsp, etc.) ?

    Good Day! I'm just having a hard time of thinking how to encrypt the source code of a given web page(html, jsp, etc.) without affecting how it is previewed in an Internet Browser. What I plan is to disable the capabilities of some malicious Internet users of copying the source codes of my web pages by using the "View Source" option of Internet Explorer and the equivalent function in Netscape Navigator. Please somebody help me in this matter (I'm planning to use an IDEA algorithm using JCE)....
    It would be big help if a running code is supplied.
    Thank you very much in advance.
    God Bless!!!
    - Jonathan Untalan([email protected])

    don't know theses softs. What i know about encrypted web pages, is that you need a secure socket connection (https).
    Your web page will be ciphered, send to the user, and decipher by the browser with the signature file associated to your https connexion.
    It isn't possible to encrypt your page directly, and then decrypt them when requested.
    For the download time, only the server is responsible for this.
    if it is overloaded, then it will slow down its upload.
    Maybe you use some encryption method that require a lot of CPU time.
    For summary : you can only cipher the pipe transport, but not the transported pages.
    Good luck in your search.

  • Report to identify multiple vendors in source list?

    is there a standard t-code that may list multiple vendors (if they exist) for a range of source lists?  better to solve with abap query?
    (ex. say there are 1250 materials and want a list of source lists, with vendors or even one vendor if it only has one)
    thanks all
    Edited by: strat on Mar 27, 2008 10:41 PM

    Try following report
    ME0M - Source List for Material

  • Dynamically generate JSF Source code in a JSP

    I have a JSP and instead of writing the JSF source Code like:
    manually in the jsp I want the JSF source code to be added dynamically to the jsp.
    So what I want is including a tag in the jsp and this tag generates JSF source code like seen above.
    This source code should then be treated just the way it would be if I had written it manually in the JSP. This means that the dynamically generated JSF code must be interpreted and all Listeners and Beans work just fine.
    How can I make this???

    I have a smiliar problem:
    <h:panelGrid binding="#{fileUploadGrid.panelGrid}">
       <%-- emty in jsp --%>
    </h:panelGrid>The panel should be populated with items the backing bean creates in source code:
    public void setUploadFieldNumber(int uploadFieldNumber) {
        this.uploadFieldNumber = uploadFieldNumber;
    private void refresh() {
        if (this.panelGrid == null)
        List children = this.panelGrid.getChildren();
        for (int i = 0; i < this.uploadFieldNumber; i++) {
          HtmlOutputText out = new HtmlOutputText();
          out.setTitle("Image " + i);
          HtmlInputText in = new HtmlInputText();
    private void createPanelGrid() {
        this.panelGrid = new HtmlPanelGrid();
    public void setPanelGrid(HtmlPanelGrid panelGrid) {
        this.panelGrid = panelGrid;
      public HtmlPanelGrid getPanelGrid() {
        return this.panelGrid;
    }The backing bean is initialized in faces-config.xml:
    </managed-bean>The problem is: although the debug output of the faces framework (I use it along with Tomcat) shows that the in- and output fields are added correctly to the panel, the page remains empty at display.
    Thanks in advance for any help.
    F. Eckhardt

  • How to protect JSP source code on the Server Side ?

    I am new on JSP. I Already know about various Web and Desktop technologies but is the first time on JSP. I know ASP for example.
    Well, about .NET platform, it protects my source code on the server, the source code is compiled and on the server, only the compiled file are installed, my source code stay with me...
    About JSP, how it works about ? Is possible to hide my source code too ? What the technique to hide the codes ? I need to prevent access to my source codes...

    roberto.novakosky wrote:
    About .exe files, do you know if a java class is more easy or dificult to do reverse engineering ?Depends on who your enemy is. If it's for example a hacker with a lot of C knowledge but zero of Java knowledge, reverse engineering .exe would be easier than .class. If one was interested, one would always take time to learn how to decompile the one or other. Making files secure is a waste of time. It's always "hackable".
    If there was a proof of concept, no one major software vendor would have had so much problems with piracy and cracks/keygens. Think about it once again. It's simply impossible. Just have a clear EULA and actually make work of it whenever you discovers if someone breaks your EULA.
    I was thinking about, the .JSP can be converted to servlet .java, and converted to .class, this way hide the source code.Once again, one could still decompile it (or reverse engineer, so you call).

  • Super 1.5 - source code level tracing for EJB, JSP and others


    Would you want to try new installation for Super 1.6?
    Please visit
    "Dominique Jean-Prost" <[email protected]> wrote:
    If only your installation tool was easy to use ...
    "Wei Jiang" <[email protected]> a écrit dans le message news:
    [email protected]
    Super supports source code level tracing for Java and JSP!
    Announcement: Super 1.5 - an EJB/J2EE monitoring tool with
    It is free for development.
    You can anomyously down load it from:
    Super is a component based administration tool for EJB/J2ee.
    It provides built-in functionality as well as
    extensions, as SuperComponents. Users can install
    SuperComponents onto it, or uninstall them from it.
    Super has the following functions:
    * A J2EE/EJB monitor.
    * A gateway to EJB servers from different vendors.
    * A framework holding user defined SuperComponents.
    * A PeekPoke tool to read/write attributes from EJBs.
    * A full-featured logging/tracing tool for centralized, chronologicallogging.
    * A Stress test tool.
    * A global environment tool.
    It is written in pure Java.
    The current version support:
    * Universal servers.
    * Weblogic 5.1
    * Weblogic 6.0
    What is new:
    Version 1.50 August, 2001
    1. Source code level tracing supports EJB, JSP, java helper and other
    programs which are written in native languages (as long as you
    write correct log messages in your application).
    2. Redress supports JSP now.
    3. New installation with full help document: hope it will be easier.
    4. Support WebSphere 4.0
    Version 1.40 June, 2001
    1. Add SuperEnvironment which is a Kaleidoscope with TableView,TimeSeriesView
    and PieView for GlobalProperties.
    GlobalProperties is an open source program from Acelet.
    2. SuperPeekPoke adds Kaleidoscope with TableView, TimeSeriesView andPieView.
    1. The structure of log database changed. You need delete old installationand
    install everything new.
    2. The format of time stamp of SuperLogging changed. It is not localedependent:
    better for report utilities.
    3. Time stamp of SuperLogging added machine name: better for clusteringenvironment.
    Bug fix:
    1. Under JDK 1.3, when you close Trace Panel, the timer may not bestopped
    Style Panel may not show up.
    Version 1.30 May, 2001
    1. Add ConnectionPlugin support.
    2. Add support for Borland AppServer.
    Version 1.20 April, 2001
    1. Redress with option to save a backup file
    2. More data validation on Dump Panel.
    3. Add uninstall for Super itself.
    4. Add Log Database Panel for changing the log database parameters.
    5. Register Class: you can type in name or browse on file system.
    6. New tour with new examples.
    Bug fix:
    1. Redress: save file may fail.
    2. Install Bean: some may fail due to missing manifest file. Now, itis
    as foreign beans.
    3. Installation: Both installServerSideLibrary and installLogDatabasecan
    be worked
    on the original file, do not need copy to a temporary directory anymore.
    4. PeekPoke: if there is no stub available, JNDI list would be emptyfor
    Now it pick up all availble ones and give warning messages.
    5. Stress: Launch>Save>Cancel generated a null pointer exception.
    1. installLogDatabase has been changed from .zip file to .jar file.
    2. SuperLogging: If the log database is broken, the log methods willnot
    try to
    access the log database. It is consistent with the document now.
    3. SuperLogging will not read system properties now. You can put logdatabase
    parameters in SuperLoggingEJB's deployment descriptor.
    Version 1.10 Feb., 2001
    1. Re-written PeekPoke with Save/Restore functions.
    2. New SuperComponent: SuperStress for stress test.
    3. Set a mark at the highlighted line on<font size=+0> the Source Code
    Panel (as a work-a-round for JDK 1.3).</font>
    4. Add support for WebLogic 6.0
    Bug fix:
    1. Uninstall bean does physically delete the jar file now.
    2. WebLogic51 Envoy may not always list all JNDI names. This is fixed.
    Version 1.00 Oct., 2000
    1. Support Universal server (virtual all EJB servers).
    2. Add Lost and Found for JNDI names, in case you need it.
    3. JNDI ComboBox is editable now, so you can PeekPoke not listed JNDIname
    for Envoys which do not support JNDI list).
    Version 0.90: Sept, 2000
    1. PeekPoke supports arbitrary objects (except for Vector, Hashtable
    and alike) as input values.
    2. Reworked help documents.
    Bug fix:
    1. Clicking Cancel button on Pace Panel set 0 to pace. It causes
    further time-out.
    2. MDI related bugs under JDK 1.3.
    Version 0.80: Aug, 2000
    1. With full-featured SuperLogging.
    Version 0.72: July, 2000
    Bug fix:
    1. Ignore unknown objects, so Weblogic5.1 can show JNDI list.
    Version 0.71: July, 2000
    1. Re-worked peek algorithm, doing better for concurent use.
    2. Add cacellable Wait dialog, showing Super is busy.
    3. Add Stop button on Peek Panel.
    4. Add undeploy example button.
    Bug fix:
    1. Deletion on Peek Panel may cause error under JDK 1.3. Now it worksfor
    1.2 and 1.3
    Version 0.70: July, 2000
    1. PeekPoke EJBs without programming.
    Bug fix:
    1. Did not show many windows under JDK 1.3. Now it works for both 1.2and
    1. All changes are backward compatible, but you may need to recompilemonitor
    windows defined by you.
    Version 0.61: June, 2000
    Bug fix:
    1. First time if you choose BUFFER as logging device, message willnot
    2. Fixed LoggingPanel related bugs.
    Version 0.60: May, 2000
    1. Add DATABASE as a logging device for persistent logging message.
    2. Made alertInterval configurable.
    3. Made pace for tracing configurable.
    Bug fix:
    1. Fixed many bugs.
    Version 0.51, 0.52 and 0.53: April, 2000
    1. Add support to Weblogic 5.1 (support for Logging/Tracing and
    user defined GUI window, not support for regular monitoring).
    Bug fix:
    1. Context sensitive help is available for most of windows: pressF1.
    2. Fix installation related problems.
    Version 0.50: April, 2000
    1. Use JavaHelp for help system.
    2. Add shutdown functionality for J2EE.
    3. Add support to Weblogic 4.5 (support for Logging/Tracing and
    user defined GUI window, not support for regular monitoring).
    Bug fix:
    1. Better exception handling for null Application.
    Version 0.40: March, 2000
    1.New installation program, solves installation related problems.
    2. Installation deploys AceletSuperApp application.
    3. Add deploy/undeploy facilities.
    4. Add EJB and application lists.
    1.SimpleMonitorInterface: now more simple.
    Version 0.30: January, 2000
    1. Add realm support to J2EE
    2. Come with installation program: you just install what you want
    the first time you run Super.
    Version 0.20: January, 2000
    Add support to J2EE Sun-RI.
    1. Replace logging device "file" with "buffer" to be
    compliant to EJB 1.1. Your code do not need to change.
    Version 0.10: December, 1999
    1. provide SimpleMonitorInterface, so GUI experience is
    not necessary for developing most monitoring applications.
    2. Sortable table for table based windows by mouse
    click (left or right).
    Version 0.01 November., 1999:
    1. Bug fix: An exception thrown when log file is large.
    2. Enhancement: Add tour section in Help information.
    Version 0.00: October, 1999

  • URL source code

    I want to make an internet explorer, i am facing a problem at this time:
    how can i get the source code that an explorer is getting from the sites. whena user hits on a url then the website sends information that i want to get uptill now i can only get the HTML code by using
    URL u = new URL("");
    InputStream in= u.openStream();
    in = new BufferedInputStream(in);
    Reader r =new InputStreamReader(in);
    int c;
    while(( != -1)
    System.out.print((char) c);
    but it is not the thing that i required. i did another attempt by URLConnection, but it give exception of unknown host server exception, at runtime.

    but it is not the thing that i required. i did another
    attempt by URLConnection, but it give exception of
    unknown host server exception, at runtime.Just to be clear.
    A browser sends a request to a web server. A web server returns a response to the browser. To create the response the web server might run some code.
    All you have access to is what you send to the server and the response that it sends back. There is no way for you to get to the code that the server runs to generate your response.
    Some response sent to a browser can contain code (that is not the same as the code that runs on the server.) That is how an applet works. But that is part of the response.

  • One cheque for multiple vendors in diff comp codes

    Good day all
    My client wants to pay multiple vendors in multipe company codes with one cheque.
    Ex.1.  Vendor 123 in Comp code 1
              Vendor 555 in Comp code 2
              Vendor 789 in Comp code 3
              Must all be paid with one cheque to Vendor 987 in Comp code 1.
    2. Vendor 123 in Comp 1
        Vendor 123 in Comp 2
        Vendor 123 in Comp 3
        Must all be paid with one cheque to Vendor 123 in Comp code 1.
    Only ONE cheque in both cases must be created.
    Is this at all possible with F110, check payments?
    Any advice or ideas would be greatly appreciated.

    Do vendor transfer posting from one to another company code that transfer remaining two vendors to one main vendor through cross company transaction and then clear the open items of remaining two vendors. And run F110 for Main vendor to whom who want to print cheque.

  • How to convert the source code in JSP,HTML&BEANS into executable files?

    We are developing one s/w product in JSP,HTML&BEANS.Now we are in the implementation phase.During the time of Installation,without copying our source code in the customer's site I want to copy the executable files of the entire source codes? Is it possible in JSP,HTML&BEANS?

    In theory you can do it even with JSP but the you will be unable to run it on the standard JSP engine. :-)
    From other hand, all critical logic should be in the Java Beans or at least in custom tags but not in the JSP code. Then you can protect that code and leave JSP open because there is nothing to steal or break.

  • Login Box example and source code on adf struts and JSP

    Dear all..
    I want to make application using ADF struts and JSP using oracle 10g Jdeveloper.
    The user should login into the login box and verify everyone who has right to enter the home.jsp.
    Anybody could help me with the source code as well as the step by step explanation...
    I'm looking forward the help...

  • How to reveal JSP source code

    I was just wondering if the source code of a JSP page can be viewed any way?
    The JSP gets translated to a servlet, which pretty much generates HTML and only that is visible to the client browser but is there a way around it?
    E.g. would be secure/suicidal to include usernames and passwords to the JSP source code?
    I would greatly appreciate any feedback.

    The HTML delivered will contain only the output from JSP execution -- you're safe there.
    Every JSP when it is compiled produces a .java file that contains that actual servlet code. There is a risk of a user finding that and downloading it. To avoid this, you want to do one or more of the following:
    1. Turn off the server's retaining of this .java file (it's basically a debugging tool).
    2. Ensure that the .java files are created in a directory that is not accessible via the browser (i.e. outside of docroot).
    3. Apply file system permissions to the directory the files are created in such that they cannot be accessed from the web.
    #1 and #2 should be pretty easily configurable in your application server's settings. #3 is trickier, as you have to set the permissions such that the server can access them, but a web user can't.

Maybe you are looking for

  • Adobe Flash CS5.5 Crashes while drawing/dragging objects.

    I have experienced quite a few crashes trying out Adobe Creative Suite CS5.5 Premium when it comes to using Flash Professional CS5.5. I have documented one of the crashes at a pastebin entry, which I will link it and an earlier crash log dump below.

  • Error with calendar database: Program version 4.2 doesn't match enviroment

    hi! im instaling jes in a windows 2000 machine and i get this error when trying to start calendar: [21/Aug/2006:16:35:58 +0200] jes csadmind[1752]: General Information: Log created (1156170958) [21/Aug/2006:16:35:58 +0200] jes csadmind[1752]: General


    Hi All, In iProcurement contracts we have the possibility to use numbering schemes. After defining a numbering scheme we are able to use the defined scheme, when we define a contract template. When we activate the renumber button, the contract terms

  • Flash Player Constantly crashing

    HI, I've recently downloaded the latest version of adobe flash player (Version and it is now constantly crashing almost every site i go on on the internet - including the adobe website! It happens in every browser (Chrome, Firefox, IE) an

  • AAA Accounting through a NAT device

    Good Day to you all, I am trying to configure aaa accounting through a natted device to a ACS 4.0 server. the information is logged ok but is logged as the device that is performing the natting. is there a way to configure aaa accounting to show the