Change extension of client/server info html to jsp

src/main/java/org/t246osslab/easybuggy4sb/core/filters/AuthenticationFilter.java

@@ -40,7 +40,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
         HttpServletResponse response = (HttpServletResponse) res;
         String target = request.getRequestURI();
 
-        if (target.startsWith("/admins") || "/uid/serverinfo.html".equals(target) || "/serverinfo".equals(target)) {
+        if (target.startsWith("/admins") || "/uid/serverinfo.jsp".equals(target) || "/serverinfo".equals(target)) {
             /* Login (authentication) is needed to access admin pages (under /admins). */
 
             String loginType = request.getParameter("logintype");

src/main/resources/messages.properties

@@ -275,7 +275,7 @@ msg.note.socket.leak.occur=Network socket leak occurs every time you load this p
 msg.note.unrestricted.ext.upload=If you upload JSP file (named exit.jsp) including <code><% System.exit(0); %></code> and access to http://localhost:8080/uploadFiles/exit.jsp, \
 then JavaVM is forcibly finished.
 msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http://localhost:8080/uid/, then you can see the file list in the uid directory. \
-If you login as an acount written in http://localhost:8080/uid/adminpassword.txt you can access to /uid/serverinfo.html.
+If you login as an acount written in http://localhost:8080/uid/adminpassword.txt you can access to /uid/serverinfo.jsp.
 msg.note.unrestricted.size.upload=This page is vulnerable for attacks such as DoS because there are no limitation for uploading file size.
 msg.note.verbose.errror.message=You can login with <code>admin</code> and <code>password</code>. \
 It is easy to guess an account who can logs in since authentication error messages on this page is too detailed.

src/main/resources/messages_de.properties

@@ -263,7 +263,7 @@ msg.note.null.byte.injection=If using Java earlier than version 1.7.0_40 and you
 msg.note.open.redirect=You can login with <code>admin</code> and <code>password</code>. \nIf you add <code>goto\=[an URL of a malicious site]</code> to the query string, you can redirect to the malicious site.
 msg.note.socket.leak.occur=Network socket leak occurs every time you load this page.
 msg.note.unrestricted.ext.upload=If you upload JSP file (named exit.jsp) including <code><% System.exit(0); %></code> and access to http\://localhost\:8080/uploadFiles/exit.jsp, \nthen JavaVM is forcibly finished.
-msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.html.
+msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.jsp.
 msg.note.unrestricted.size.upload=This page is vulnerable for attacks such as DoS because there are no limitation for uploading file size.
 msg.note.verbose.errror.message=You can login with <code>admin</code> and <code>password</code>. \nIt is easy to guess an account who can logs in since authentication error messages on this page is too detailed.
 msg.note.xee=If you upload the following XML file, it will waste server resources.

src/main/resources/messages_en.properties

@@ -263,7 +263,7 @@ msg.note.null.byte.injection=If using Java earlier than version 1.7.0_40 and you
 msg.note.open.redirect=You can login with <code>admin</code> and <code>password</code>. \nIf you add <code>goto\=[an URL of a malicious site]</code> to the query string, you can redirect to the malicious site.
 msg.note.socket.leak.occur=Network socket leak occurs every time you load this page.
 msg.note.unrestricted.ext.upload=If you upload JSP file (named exit.jsp) including <code><% System.exit(0); %></code> and access to http\://localhost\:8080/uploadFiles/exit.jsp, \nthen JavaVM is forcibly finished.
-msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.html.
+msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.jsp.
 msg.note.unrestricted.size.upload=This page is vulnerable for attacks such as DoS because there are no limitation for uploading file size.
 msg.note.verbose.errror.message=You can login with <code>admin</code> and <code>password</code>. \nIt is easy to guess an account who can logs in since authentication error messages on this page is too detailed.
 msg.note.xee=If you upload the following XML file, it will waste server resources.

src/main/resources/messages_es.properties

@@ -263,7 +263,7 @@ msg.note.null.byte.injection=If using Java earlier than version 1.7.0_40 and you
 msg.note.open.redirect=You can login with <code>admin</code> and <code>password</code>. \nIf you add <code>goto\=[an URL of a malicious site]</code> to the query string, you can redirect to the malicious site.
 msg.note.socket.leak.occur=Network socket leak occurs every time you load this page.
 msg.note.unrestricted.ext.upload=If you upload JSP file (named exit.jsp) including <code><% System.exit(0); %></code> and access to http\://localhost\:8080/uploadFiles/exit.jsp, \nthen JavaVM is forcibly finished.
-msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.html.
+msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.jsp.
 msg.note.unrestricted.size.upload=This page is vulnerable for attacks such as DoS because there are no limitation for uploading file size.
 msg.note.verbose.errror.message=You can login with <code>admin</code> and <code>password</code>. \nIt is easy to guess an account who can logs in since authentication error messages on this page is too detailed.
 msg.note.xee=If you upload the following XML file, it will waste server resources.

src/main/resources/messages_fr.properties

@@ -263,7 +263,7 @@ msg.note.null.byte.injection=If using Java earlier than version 1.7.0_40 and you
 msg.note.open.redirect=You can login with <code>admin</code> and <code>password</code>. \nIf you add <code>goto\=[an URL of a malicious site]</code> to the query string, you can redirect to the malicious site.
 msg.note.socket.leak.occur=Network socket leak occurs every time you load this page.
 msg.note.unrestricted.ext.upload=If you upload JSP file (named exit.jsp) including <code><% System.exit(0); %></code> and access to http\://localhost\:8080/uploadFiles/exit.jsp, \nthen JavaVM is forcibly finished.
-msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.html.
+msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.jsp.
 msg.note.unrestricted.size.upload=This page is vulnerable for attacks such as DoS because there are no limitation for uploading file size.
 msg.note.verbose.errror.message=You can login with <code>admin</code> and <code>password</code>. \nIt is easy to guess an account who can logs in since authentication error messages on this page is too detailed.
 msg.note.xee=If you upload the following XML file, it will waste server resources.

src/main/resources/messages_ja.properties

@@ -263,7 +263,7 @@ msg.note.null.byte.injection=\u30d0\u30fc\u30b8\u30e7\u30f31.7.0_40\u3088\u308a\
 msg.note.open.redirect=<code>admin</code>\u3068<code>password</code>\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u30ed\u30b0\u30a4\u30f3\u3067\u304d\u307e\u3059\u3002\n\u30af\u30a8\u30ea\u30b9\u30c8\u30ea\u30f3\u30b0\u306b<code>goto\=[\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30c8\u306eURL]</code>\u3092\u4ed8\u52a0\u3059\u308b\u3068\u3001\u30c1\u30a7\u30c3\u30af\u305b\u305a\u306b\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30c8\u306eURL\u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3057\u307e\u3059\u3002
 msg.note.socket.leak.occur=\u3053\u306e\u30da\u30fc\u30b8\u3092\u8aad\u307f\u8fbc\u3080\u305f\u3073\u306b\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30bd\u30b1\u30c3\u30c8\u30ea\u30fc\u30af\u304c\u767a\u751f\u3057\u307e\u3059\u3002
 msg.note.unrestricted.ext.upload=<code><% System.exit(0); %></code>\u3068\u66f8\u3044\u305fJSP\u30d5\u30a1\u30a4\u30eb(\u30d5\u30a1\u30a4\u30eb\u540d\uff1aexit.jsp)\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u3066\u3001http\://localhost\:8080/uploadFiles/exit.jsp\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001\nJavaVM\u304c\u5f37\u5236\u7d42\u4e86\u3057\u307e\u3059\u3002
-msg.note.unintended.file.disclosure=\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30ea\u30b9\u30c6\u30a3\u30f3\u30b0\u304c\u6a5f\u80fd\u3057\u3066\u3044\u308b\u5834\u5408\u3001http\://localhost\:8080/uid/\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001\u305d\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u5185\u306e\u30d5\u30a1\u30a4\u30eb\u4e00\u89a7\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002\n\u3055\u3089\u306bhttp\://localhost\:8080/uid/adminpassword.txt\u306b\u8a18\u8f09\u3055\u308c\u305f\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u3068\u3001http\://localhost\:8080/uid/serverinfo.html\u3078\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002
+msg.note.unintended.file.disclosure=\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30ea\u30b9\u30c6\u30a3\u30f3\u30b0\u304c\u6a5f\u80fd\u3057\u3066\u3044\u308b\u5834\u5408\u3001http\://localhost\:8080/uid/\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001\u305d\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u5185\u306e\u30d5\u30a1\u30a4\u30eb\u4e00\u89a7\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002\n\u3055\u3089\u306bhttp\://localhost\:8080/uid/adminpassword.txt\u306b\u8a18\u8f09\u3055\u308c\u305f\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u3068\u3001http\://localhost\:8080/uid/serverinfo.jsp\u3078\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002
 msg.note.unrestricted.size.upload=\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u53ef\u80fd\u306a\u30d5\u30a1\u30a4\u30eb\u30b5\u30a4\u30ba\u306e\u5236\u9650\u304c\u7121\u3044\u305f\u3081\u3001DoS\u653b\u6483\u306a\u3069\u306b\u5bfe\u3057\u3066\u8106\u5f31\u3067\u3059\u3002
 msg.note.verbose.errror.message=<code>admin</code>\u3068<code>password</code>\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u30ed\u30b0\u30a4\u30f3\u3067\u304d\u307e\u3059\u3002\n\u3053\u306e\u753b\u9762\u3067\u306e\u8a8d\u8a3c\u30a8\u30e9\u30fc\u306e\u30e1\u30c3\u30bb\u30fc\u30b8\u306f\u8a73\u7d30\u904e\u304e\u308b\u305f\u3081\u3001\u30ed\u30b0\u30a4\u30f3\u53ef\u80fd\u306a\u30a2\u30ab\u30a6\u30f3\u30c8\u304c\u63a8\u6e2c\u3057\u3084\u3059\u304f\u306a\u3063\u3066\u3044\u307e\u3059\u3002
 msg.note.xee=\u4ee5\u4e0b\u306eXML\u30d5\u30a1\u30a4\u30eb\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b\u3068\u3001\u30b5\u30fc\u30d0\u30fc\u30ea\u30bd\u30fc\u30b9\u3092\u6d6a\u8cbb\u3057\u307e\u3059\u3002

src/main/resources/messages_ko.properties

@@ -263,7 +263,7 @@ msg.note.null.byte.injection=If using Java earlier than version 1.7.0_40 and you
 msg.note.open.redirect=You can login with <code>admin</code> and <code>password</code>. \nIf you add <code>goto\=[an URL of a malicious site]</code> to the query string, you can redirect to the malicious site.
 msg.note.socket.leak.occur=Network socket leak occurs every time you load this page.
 msg.note.unrestricted.ext.upload=If you upload JSP file (named exit.jsp) including <code><% System.exit(0); %></code> and access to http\://localhost\:8080/uploadFiles/exit.jsp, \nthen JavaVM is forcibly finished.
-msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.html.
+msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.jsp.
 msg.note.unrestricted.size.upload=This page is vulnerable for attacks such as DoS because there are no limitation for uploading file size.
 msg.note.verbose.errror.message=You can login with <code>admin</code> and <code>password</code>. \nIt is easy to guess an account who can logs in since authentication error messages on this page is too detailed.
 msg.note.xee=If you upload the following XML file, it will waste server resources.

src/main/resources/messages_ru.properties

@@ -263,7 +263,7 @@ msg.note.null.byte.injection=If using Java earlier than version 1.7.0_40 and you
 msg.note.open.redirect=You can login with <code>admin</code> and <code>password</code>. \nIf you add <code>goto\=[an URL of a malicious site]</code> to the query string, you can redirect to the malicious site.
 msg.note.socket.leak.occur=Network socket leak occurs every time you load this page.
 msg.note.unrestricted.ext.upload=If you upload JSP file (named exit.jsp) including <code><% System.exit(0); %></code> and access to http\://localhost\:8080/uploadFiles/exit.jsp, \nthen JavaVM is forcibly finished.
-msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.html.
+msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.jsp.
 msg.note.unrestricted.size.upload=This page is vulnerable for attacks such as DoS because there are no limitation for uploading file size.
 msg.note.verbose.errror.message=You can login with <code>admin</code> and <code>password</code>. \nIt is easy to guess an account who can logs in since authentication error messages on this page is too detailed.
 msg.note.xee=If you upload the following XML file, it will waste server resources.

src/main/resources/messages_zh.properties

@@ -263,7 +263,7 @@ msg.note.null.byte.injection=If using Java earlier than version 1.7.0_40 and you
 msg.note.open.redirect=You can login with <code>admin</code> and <code>password</code>. \nIf you add <code>goto\=[an URL of a malicious site]</code> to the query string, you can redirect to the malicious site.
 msg.note.socket.leak.occur=Network socket leak occurs every time you load this page.
 msg.note.unrestricted.ext.upload=If you upload JSP file (named exit.jsp) including <code><% System.exit(0); %></code> and access to http\://localhost\:8080/uploadFiles/exit.jsp, \nthen JavaVM is forcibly finished.
-msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.html.
+msg.note.unintended.file.disclosure=If the directory listing feature works and you access to http\://localhost\:8080/uid/, then you can see the file list in the uid directory. \nIf you login as an acount written in http\://localhost\:8080/uid/adminpassword.txt you can access to /uid/serverinfo.jsp.
 msg.note.unrestricted.size.upload=This page is vulnerable for attacks such as DoS because there are no limitation for uploading file size.
 msg.note.verbose.errror.message=You can login with <code>admin</code> and <code>password</code>. \nIt is easy to guess an account who can logs in since authentication error messages on this page is too detailed.
 msg.note.xee=If you upload the following XML file, it will waste server resources.

src/main/resources/templates/adminmain.html

@@ -5,7 +5,7 @@
 	<div th:include="header"></div>
 	<p th:utext="#{msg.admin.page.top}" />
 	<ul>
-		<li><a th:href="@{'/uid/serverinfo.html'}"><th:block th:utext="#{section.server.info}" /></a></li>
+		<li><a th:href="@{'/uid/serverinfo.jsp'}"><th:block th:utext="#{section.server.info}" /></a></li>
 		<li><a th:href="@{'/admins/csrf'}"><th:block th:utext="#{section.change.password}" /></a></li>
 		<li><a th:href="@{'/admins/clickjacking'}"><th:block th:utext="#{section.change.mail}" /></a></li>
 	</ul>

src/main/resources/templates/index.html

@@ -56,7 +56,7 @@ <h2>
 		<li><p><a href="nullbyteijct" th:text="#{function.name.null.byte.injection}"></a>: <span th:text="#{function.description.null.byte.injection}"></span></p></li>
 		<li><p><a href="ursupload" th:text="#{function.name.unrestricted.size.upload}"></a>: <span th:text="#{function.description.unrestricted.size.upload}"></span></p></li>
 		<li><p><a href="ureupload" th:text="#{function.name.unrestricted.ext.upload}"></a>: <span th:text="#{function.description.unrestricted.ext.upload}"></span></p></li>
-		<li><p><a href="admins/main?logintype=openredirect&amp;goto=/uid/serverinfo.html" th:text="#{function.name.open.redirect}"></a>: <span th:text="#{function.description.open.redirect}"></span></p></li>
+		<li><p><a href="admins/main?logintype=openredirect&amp;goto=/uid/serverinfo.jsp" th:text="#{function.name.open.redirect}"></a>: <span th:text="#{function.description.open.redirect}"></span></p></li>
 		<li><p><a href="admins/main?logintype=bruteforce" th:text="#{function.name.brute.force}"></a>: <span th:text="#{function.description.brute.force}"></span></p></li>
 		<li><p><a th:href="@{'admins/main?logintype=sessionfixation'}" th:text="#{function.name.session.fixation}"></a>: <span th:text="#{function.description.session.fixation}"></span></p></li>
 		<li><p><a href="admins/main?logintype=verbosemsg" th:text="#{function.name.verbose.error.message}"></a>: <span th:text="#{function.description.verbose.error.message}"></span></p></li>
@@ -66,7 +66,7 @@ <h2>
 		 -->
 		<li><p><a href="/dfi/includable.jsp?template=style_bootstrap.html" th:text="#{function.name.dangerous.file.inclusion}"></a>: <span th:text="#{function.description.dangerous.file.inclusion}"></span></p></li>
 		<li><p><a href="/dt/includable.jsp?template=basic" th:text="#{function.name.path.traversal}"></a>: <span th:text="#{function.description.path.traversal}"></span></p></li>
-		<li><p><a href="/uid/clientinfo.html" th:text="#{function.name.unintended.file.disclosure}"></a>: <span th:text="#{function.description.unintended.file.disclosure}"></span></p></li>
+		<li><p><a href="/uid/clientinfo.jsp" th:text="#{function.name.unintended.file.disclosure}"></a>: <span th:text="#{function.description.unintended.file.disclosure}"></span></p></li>
 		<li><p><a href="/admins/csrf" th:text="#{function.name.csrf}"></a>: <span th:text="#{function.description.csrf}"></span></p></li>
 		<li><p><a href="/admins/clickjacking" th:text="#{function.name.clickjacking}"></a>: <span th:text="#{function.description.clickjacking}"></span></p></li>
 		<li><p><a href="xee" th:text="#{function.name.xee}"></a>: <span th:text="#{function.description.xee}"></span></p></li>