[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webappsec
Subject:    RE: Source Code Discloser
From:       "Matt Petteys" <mpetteys () securestate ! org>
Date:       2002-03-19 23:24:46
[Download RAW message or body]


Yes, JSP code is server based.  It is compiled into java code and then the
server executes the java code to generate the HTTP response for the web
browser.  Only the HTTP response should be available to the end user.

> -----Original Message-----
> From: Ailean Mhorgainn [mailto:ailean@ceadmilefailte.org]
> Sent: Tuesday, March 19, 2002 1:07 PM
> To: webappsec@securityfocus.com
> Subject: Re: Source Code Discloser
>
>
> At 08:46 AM 3/19/2002 +0000, raj@ealcatraz.com wrote:
>
>
> >Hello,
> >We are developing a web site with php and I am in
> >the process of evaluating the code for security
> >breaches. During my evaluation I had come across
> >certain issues which I my self couldn't able to solve it
> >and any help in this regard will be very much helpful
> >for me.
> >As of my knowledge we cannot see the source code
> >in the ASP, but incase of php, xml, jsp, discloses the
> >source code. My question is that possible to disable
> >the same, if yes then how do I do that.
> >Thanks In Advance,
> >Regards,
> >Raj
>
> PHP is server-parsed, just like ASP or Perl CGI code. It's not client-side
> parsed like javascript. Ie, the code is already finished
> "running" before it
> is served over HTTP, and you get the (usually) HTML results. XML
> is used in
> many different ways, so it's hard to say whether or not you're
> vulnerable to
> someone seeing something they shouldn't... you have to evaluate
> your use of
> it. I'm not sure about JSP but if I recall correctly, it is also server
> parsed... if you're running something like Tomcat?
>
> Anyone confirm/deny JSP?
>
> --Ailean
> "Bi tren agus sitheil"
>
>

[prev in list] [next in list] [prev in thread] [next in thread]