Users login

Create an account »


Users login

Home » Hacking News » Jigsaw Webserver Path Disclosure

Jigsaw Webserver Path Disclosure

by Nikola Strahija on July 18th, 2002 It is possible to disclose the physical path to the webroot. This information could be useful to a malicious user wishing to gain illegal access to resources on the server.

- Jigsaw V2.2.1 Distribution on Windows 2000 Server

Not Vulnerable:
- Jigsaw V2.2.1 Dev/2.2/20020711 on Windows 2000 Server

Product Description:
Quoted from the vendor webpage:

"Jigsaw is W3C's leading-edge Web server platform, providing a sample
HTTP 1.1 implementation and a variety of other features on top of an
advanced architecture implemented in Java. The W3C Jigsaw Activity
statement explains the motivation and future plans in more detail.
Jigsaw is an W3C Open Source Project, started May 1996."

Requesting /aux two times, results in an error message, after second
request, containing the physical path to the web root.

Vendor URL:
You can visit the vendor webpage here:

Vendor response:
The vendor was notified on the 27th of May, 2002. On the 11th of
July, 2002 we verified that the issue was corrected in the latest
build (20020708).

Corrective action:
Upgrade your Jigsaw.jar to the latest build, available from:

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »