Check: WG490 IIS6
IIS6 Site:
WG490 IIS6
(in version v6 r16)
Title
Java software installed on the web server must be limited to class files and the JAVA virtual machine. (Cat III impact)
Discussion
From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.
Check Content
1. Right click on the Start button > Select Search > enter “*.java, *.jpp” in the box titled All or part of the file name. 2. Press Search. NOTE: This search must be completed on all active drives the web server utilizes. NOTE: Files with the extension .class, .jre and .jvm are acceptable. Executables such as java.exe, jre.exe, and jrew.exe are permitted. If files with the extension .java or .jpp are found, this is a finding.
Fix Text
Remove all files from the web server with the following extensions: .java and .jpp.
Additional Identifiers
Rule ID: SV-38118r1_rule
Vulnerability ID: V-2265
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |