https://www.exploit-db.com/exploits/20375
https://www.securityfocus.com/bid/82094
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199901-015

Java网络服务器中存在漏洞。远程攻击者利用该漏洞获得CGI程序的源码。

source: http://www.securityfocus.com/bid/1891/info

A vulnerability exists in Sun Microsystems' JavaWebServer for Win32, version 1.1Beta. JavaWebServer is a Java-oriented web application development platform.

If a URL is submitted requesting a .jhtml file (an HTML document with embedded Java source) and a '.' or '/' character is appended to the filename, the source for that .jhtml file will be returned to the client, rather than being compiled on the server. As a result, system information which is not intended for disclosure to the client, such as database usernames and passwords, resource locations, website and network structure and business models, may be obtained by the attacker. As well as its inherent sensitivity, this type of information could potentially be used to implement other attacks on the host.

http://localhost/xyz.jhtml. 

or 

http://localhost/xyz.jhtml

Oracle Java Web Server 0

来源:BUGTRAQ
名称:19970716Viewable.jhtmlsourcewithJavaWebServer
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=88256790401004&w=2