Security issues:
As of today (10/16/2003), I have removed all examples from the server. They don't really post any security issues, but some of the examples fall under the Cross Site Script security warning . In the word of the security consultant who found it, "Thats it.... its not very dangerous. But the main problem is, that it shows that you (and all the others) did not fully check/filter what someone inserts into your application."


Please note that the server stores the admin password in plain text in config/users.properties file. This file is used by config servlet for admin logon (the servlet is setup so only local connections are accepted). If you have other users share the computer with you, make sure set up the config directory to be readable only to you (or remove the wars/srvConfig.war completely so no one can use it). It is a legit issue however what made me unhappy is the guy who reported it (CyberTalon) never even border to contact me.

Please note that server version 0.78 has a major security bug, the CGI processor executes without check if the target file exists or if the command is of relative path. The problem is fixed in version 0.80 and above. Thanks for Erick Lee and Joe Testa for finding the bug.

There is another bug report last year about the server exposing root directory when using relative path (../.. or ...) which is totally false. The problem never exists. Who ever report the problem also got version wrong. They state the version is 1.0 while the server only reached version 0.92 in June this year.

If you are using the server, please let me know so I can send you notifications or patches if other problem are found.