BID:17204

Orion Application Server JSP Source Disclosure Vulnerability

Info

Orion Application Server JSP Source Disclosure Vulnerability

Bugtraq ID:	17204
Class:	Design Error
CVE:	CVE-2006-0816
Remote:	Yes
Local:	No
Published:	Mar 23 2006 12:00AM
Updated:	Mar 23 2006 10:09PM
Credit:	Tan Chew Keong of Secunia Research is credited with the discovery of this vulnerability.
Vulnerable:	Orion* Orion Application Server 2.0.6 Orion* Orion Application Server 2.0.5

Not Vulnerable:	Orion* Orion Application Server 2.0.7

Discussion

Orion Application Server JSP Source Disclosure Vulnerability

A problem with Orion Application Server results in the disclosure of the source code of Java Server Pages. This allows attackers to gain unauthorized access to sensitive information, potentially aiding them in further attacks.

This issue only affects Orion Application Server installations on Microsoft Windows platforms. Versions 5.0.5 and 5.0.6 are vulnerable; earlier versions may also be vulnerable.

Exploit / POC

Orion Application Server JSP Source Disclosure Vulnerability

This issue can be exploited through a web client.

Solution / Fix

Orion Application Server JSP Source Disclosure Vulnerability

Solution:
The vendor has released version 2.0.7 to address this issue.

Orion* Orion Application Server 2.0.5

Orion* orion2.0.7.zip
http://www.orionserver.com/mirrordownload.jsp?file=orion2.0.7.zip

Orion* Orion Application Server 2.0.6

Orion* orion2.0.7.zip
http://www.orionserver.com/mirrordownload.jsp?file=orion2.0.7.zip

References

Orion Application Server JSP Source Disclosure Vulnerability

References:

Orion Application Server Homepage (Orion*)
Orion Application Server JSP Source Disclosure Vulnerability (Secunia)