Hi,
yes, this is a quite severe bug/security hole that effects Win32 users (UNIX users are
not affected). We recommend anyone running a deployed application on a windows system
to download the patch at http://www.orionserver.com/orion/orion.jar. This patch also
fixes some other bugs like the escape character bug as reported by Brien Voorhees. As
stated earlier you also need the JSSE jars (from the
http://java.sun.com/products/jsse/ release) when upgrading.
/Magnus Stenman, the Orion team
----- Original Message -----
From: Colin Burroughs <[EMAIL PROTECTED]>
To: Orion-Interest <[EMAIL PROTECTED]>
Sent: Thursday, December 23, 1999 1:46 AM
Subject: Exposing your lovely .JSP code :(
> heevnin 1 an' all,
>
> Just found a mildly annoying *prob* with Orion and my beloved Netscape 3 browser
>(..only use it when I'm in DEV mode 'cause browsers these days are somewhat flabby,
>and IE5 is useless at telling you what's going on under the hood!..) running on NT...
>
> *boo hiss* I hear you cry...
>
> hmmmmmm, try capitalising the '.jsp' file extension of any of your JSP pages and
>watch in horror at what gets returned. :(
>
> (stumbled upon this by accident when my finger hit CAPSLOCK instead of the 'A'
>key.... as you do!)
>
> Netscape (3 atleast) shows it in the browser and IE5 wants to download it.
>
> I tried added another MIME type of 'JSP' as well as 'jsp' but a MIME type is a MIME
>type is a MIME type case or no case.
>
> 0.8.3 may well be about to rear it's ugly :) head, but this _MUST_ be fixed pretty
>soon :(
>
> CB
>
> ps. Hap Crimbo
