|
COMMAND WebSphere SYSTEMS AFFECTED IBM WebSphere Application Server 3.0.2 PROBLEM Following is based on Foundstone Security Advisory by Shreeraj Shah and Saumil Shah. A show code vulnerability exists with IBM's Websphere allowing an attacker to view the source code of any file within the web document root of the web server. IBM WebSphere uses Java Servlets to handle parsing of various types of pages (for example, HTML, JSP, JHTML, etc). In addition to different servlets for handling different kinds of pages, WebSphere also has a default servlet which is called upon if a requested file does not have a registered handler. It is possible to force the default servlet to be invoked if the file path in the URL is prefixed with "/servlet/file/", which causes pages to be displayed without being parsed or compiled. It is easy to verify this vulnerability for a given system. Prefixing the path to web pages with "/servlet/file/" in the URL causes the file to be displayed without being parsed or compiled. For example if the URL for a file "login.jsp" is: http://site.running.websphere/login.jsp then accessing http://site.running.websphere/servlet/file/login.jsp would cause the unparsed contents of the file to show up in the web browser. SOLUTION Remove the InvokerServlet from the webapplication. Fix is APAR PQ39857 that will be available soon at the site: http://www-4.ibm.com/software/webservers/appserv/efix.html