![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Sun, 23 Jul 2000 18:03:53 -0700
From: labs@FOUNDSTONE.COM
Subject: IBM WebSphere default servlet handler showcode vulnerability
To: BUGTRAQ@SECURITYFOCUS.COM
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
IBM WebSphere default servlet handler showcode vulnerability
----------------------------------------------------------------------
FS Advisory ID: FS-072400-6-IBM
Release Date: July 24, 2000
Product: IBM WebSphere Application Server 3.0.2
Vendor: IBM http://www-4.ibm.com/software/webservers/
appserv/
Vendor Advisory: none issued so far.
Type: Unparsed pages: Show code vulnerability
Author: Shreeraj Shah (shreeraj.shah@foundstone.com)
Saumil Shah (saumil.shah@foundstone.com)
Operating Systems: All operating systems
----------------------------------------------------------------------
Description
A show code vulnerability exists with IBM's Websphere allowing
an attacker to view the source code of any file within the web
document root of the web server.
Details
IBM WebSphere uses Java Servlets to handle parsing of various
types of pages (for example, HTML, JSP, JHTML, etc). In
addition to different servlets for handling different kinds of
pages, WebSphere also has a default servlet which is called
upon if a requested file does not have a registered handler.
It is possible to force the default servlet to be invoked if
the file path in the URL is prefixed with "/servlet/file/",
which causes pages to be displayed without being parsed or
compiled.
Vulnerable versions
All versions of IBM WebSphere 3.0.2
Verification of the vulnerability
It is easy to verify this vulnerability for a given system.
Prefixing the path to web pages with "/servlet/file/" in the
URL causes the file to be displayed without being parsed or
compiled. For example if the URL for a file "login.jsp" is:
http://site.running.websphere/login.jsp
then accessing
http://site.running.websphere/servlet/file/login.jsp
would cause the unparsed contents of the file to show up in
the web browser.
Solution
Workaround:
Remove the InvokerServlet from the webapplication
Fix:
APAR PQ39857 will be available soon at the site:
http://www-4.ibm.com/software/webservers/appserv/efix.html
Credits
We would like to thank IBM for their prompt and serious
reaction to this problem.
Disclaimer
THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT
(C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS
GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR
DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED
ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE
REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.