The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container [1].

In this case, the program violates the following EJB guideline:

"The enterprise bean must not attempt to create a class loader; set the context class loader; set security manager; create a new security manager; stop the JVM; or change the input, output, and error streams."

A requirement that the specification justifies in the following way:

"These functions are reserved for the Enterprise Beans container. Allowing the enterprise bean to use these functions could compromise security and decrease the container’s ability to properly manage the runtime environment."

Path manipulation errors occur when the following two conditions are met:

1. An attacker can specify a path used in an operation on the filesystem.
2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.

The cases below are a few examples of source code disclosure that can be caused by passing special characters via request parameters:


Example 1: By appending a space character ("%20"), an application might be forced into disclosing the source for any PHP file.

Example 2: Source code disclosure might also occur from a null character ("%00") appended to a file name in the request URL.

Example 3: Partial encoding of file extensions has been known to disclose the application source code (e.g. "%2ejsp", "%2ejhtml").

Example 4: Certain configurations are prone to source code disclosure issue when the "#" character is used in the extension (e.g. ".#php").

Example 5: Access restrictions implemented by certain web servers based on explicit access to /WEB-INF/ have known to be bypassed by requesting /WEB-INF./.

Example 6: Source code disclosure can occur when the "+" character is appended to the file extension in the request URL (e.g. "jsp+").

Example 7: Including the "%" character in the file name could also result in the disclosure of file source.

If an application or server fails to account for special characters passed with malicious input, severe disclosure issues can occur.