CA has a nice writeup from last month (thanks for the tip Brian) on a jsp vulnerability recently toyed with on the PayPal site. It’s a fine example of good disclosure; identifying a vulnerability, reporting it effectively, receiving prompt resolution and then documenting how it works in an informed and easy to read way. It’s also a scary little hole. If a money changer like PayPal had it and didn’t know about it, chances are others are vulnerable too. Who built your web site and is it using jsp pages? I’ll keep my eyes peeled for any indicators as to how broad this vulnerability may be as I honestly am not sure exactly how utilized jsp pages are these days.