Hi,
yes, this is a quite severe bug/security hole that effects Win32 users (UNIX users are 
not affected). We recommend anyone running a deployed application on a windows system 
to download the patch at http://www.orionserver.com/orion/orion.jar. This patch also 
fixes some other bugs like the escape character bug as reported by Brien Voorhees. As 
stated earlier you also need the JSSE jars (from the 
http://java.sun.com/products/jsse/ release) when upgrading.

/Magnus Stenman, the Orion team

----- Original Message ----- 
From: Colin Burroughs <[EMAIL PROTECTED]>
To: Orion-Interest <[EMAIL PROTECTED]>
Sent: Thursday, December 23, 1999 1:46 AM
Subject: Exposing your lovely .JSP code :(


> heevnin 1 an' all,
> 
> Just found a mildly annoying *prob* with Orion and my beloved Netscape 3 browser 
>(..only use it when I'm in DEV mode 'cause browsers these days are somewhat flabby, 
>and IE5 is useless at telling you what's going on under the hood!..) running on NT...
> 
> *boo hiss* I hear you cry...
> 
> hmmmmmm, try capitalising the '.jsp' file extension of any of your JSP pages and 
>watch in horror at what gets returned. :(
> 
> (stumbled upon this by accident when my finger hit CAPSLOCK instead of the 'A' 
>key.... as you do!)
> 
> Netscape (3 atleast) shows it in the browser and IE5 wants to download it.
> 
> I tried added another MIME type of 'JSP' as well as 'jsp' but a MIME type is a MIME 
>type is a MIME type case or no case.
> 
> 0.8.3 may well be about to rear it's ugly :) head, but this _MUST_ be fixed pretty 
>soon :(
> 
> CB
> 
> ps. Hap Crimbo

Reply via email to