mailing list archives
Yet Another IBM WebSphere Showcode Vulerability
From: mhalls <mhalls () NIELSEN NET>
Date: Thu, 25 Jan 2001 15:13:33 -0800
Summary: When IBM WebSphere application server shares the same document
root as Netscape Enterprise server it is possible for a malicious user to
view to view the source of any JSP file in the document root.
WebSphere's plugin for Netscape Enterprise server uses the host header
sent from the client browser to determine if it should intercept a request
by matching the host header against its list of "host aliases" configured
in WebSphere. By changing the host header to a value that WebSphere
doesn't expect bypasses the plugin allowing the JSP file to be delivered
as a regular file by Netscape Enterprise server.
Exploit: Configure your hosts file to point a random name to the IP
address of the server and then point your browser to
http://randomhostname/somejspfile.jsp. If the randomhostname is not in
WebSphere's list of hosts aliases it will be served as a regular
Solution: Change to document root of WebSphere to point to a different
location than the Netscape Enterprise Server document root and move all
JSP files to the new location. Maybe others?
- Yet Another IBM WebSphere Showcode Vulerability mhalls (Jan 26)