![[LWN Logo]](/images/lcorner.png)
![[Timeline]](/images/Included.png)
|
|
|
|
Date: Thu, 25 Jan 2001 15:13:33 -0800 From: mhalls <mhalls@NIELSEN.NET> Subject: Yet Another IBM WebSphere Showcode Vulerability To: BUGTRAQ@SECURITYFOCUS.COM Summary: When IBM WebSphere application server shares the same document root as Netscape Enterprise server it is possible for a malicious user to view to view the source of any JSP file in the document root. WebSphere's plugin for Netscape Enterprise server uses the host header sent from the client browser to determine if it should intercept a request by matching the host header against its list of "host aliases" configured in WebSphere. By changing the host header to a value that WebSphere doesn't expect bypasses the plugin allowing the JSP file to be delivered as a regular file by Netscape Enterprise server. Exploit: Configure your hosts file to point a random name to the IP address of the server and then point your browser to http://randomhostname/somejspfile.jsp. If the randomhostname is not in WebSphere's list of hosts aliases it will be served as a regular file. Solution: Change to document root of WebSphere to point to a different location than the Netscape Enterprise Server document root and move all JSP files to the new location. Maybe others?