Vulnerability

    WebSphere Application Server

Affected

    IBM WebSphere Application Server (all version up to and including 3.0.2)

Description

    Following is based on Foundstone Security Advisory by Saumil  Shah
    and Stuart McClure.  A  show code vulnerability exists with  IBM's
    WebSphere Application Server for  NT allowing an attacker  to view
    the source code of Java Server Pages (JSP) files.

    The  problem  lies  with  the  way  WebSphere  assigns handlers to
    specific file types.  For example, files with the extensions  .jsp
    are registered as Java Server Pages by WebSphere.

    WebSphere being case sensitive, interprets .jsp and .JSP to be two
    extensions.  If a request for a .JSP file is made to WebSphere, it
    cannot find  a handler  for the  .JSP extension  and therefore, it
    uses the  default handler,  which is  of type  "text".   Since the
    underlying file system  is Windows NT,  it does not  differentiate
    between  upper  case  and  lower  case  filenames,  and  hence the
    requested  file  ends  up  being  served  up as plain text without
    being  parsed  or  interpreted.   On  WebSphere  running  on  Unix
    servers, it flags a "File not Found" error.

    Normally,  JSP  files  are  referred  to  in URLs using lower case
    extensions.  For example:

        http://site.running.websphere/index.jsp

    By changing  any letters  in the  extension (.jsp)  to upper case,
    it is possible to obtain the unparsed source code of the JSP file.
    For  the  above  example,  the  exploit  would  be  to  access the
    following URL:

        http://site.running.websphere/index.JSP

Solution

    An efix (APAR #: PQ38936) is available and will be posted at:

        http://www-4.ibm.com/software/webservers/appserv/efix.html